“Where there is great power, there is great responsibility.” - Winston Churchill, 1906
We want a clear reporting path for security researchers to tell us about vulnerabilities on our systems, and we want researchers who coordinate with us to resolve these vulnerabilities to have assurances that we won't pursue legal action against them.
To do this, we’ve published a vulnerability disclosure policy for 18F's parent organization, GSA's Technology Transformation Service (TTS), which lays out rules of the road for reporting vulnerabilities to various TTS-operated systems, such as vote.gov and micropurchase.18f.gov. We plan to update the scope to include all TTS-operated systems in the near future.
While our projects already adhere to strict security standards, we're not perfect. There will always be more expertise outside our organization than on the inside, and outside security researchers should feel just as welcome in raising a "red flag" as our own staff. What's most important is that we protect the government's systems and the information the public entrusts to them. We don't care who submits a vulnerability, we just want to fix it as soon as possible.
We also recognize that some researchers hesitate to participate in vulnerability disclosure at a federal level for fear of prosecution under the Computer Fraud and Abuse Act (CFAA), which governs the unauthorized use of information systems.
Our vulnerability disclosure policy is direct: if a researcher makes a good faith effort to comply with our policy and its scope, then we consider their use authorized, and the General Services Administration won't initiate or recommend legal action against them.
To report a vulnerability, make sure you’ve read the policy, and contact us at tts-vulnerability-reports@gsa.gov or through this reporting form. Reports may be submitted anonymously. We’re still in our early stages, so if you have an idea on how to improve our policy, or have a question, submit a pull request or open an issue on GitHub.
We also want to acknowledge the great work done by our colleagues at the Department of Defense, who just publicly released their vulnerability disclosure policy for every public Defense web service. While our policy is not identical to theirs, they both have very similar language around legal authorization and meet the same goal: clearing the way for members of the public to help secure their government’s systems.
We hope our vulnerability disclosure policy can serve as an example to other government agencies, giving researchers the confidence and enthusiasm to help improve the security of public systems. At the end of the day, we all have the same goal: Secure all the things! We're excited to work with the security community, and look forward to your feedback and your reports!