Guidelines for bug reporting

Guidelines for bug reporting

Security researchers who find vulnerabilities in government websites now have a way to report them without fear of prosecution for unauthorized use of government information systems.

The General Services Administration's Technology Transformation Service has released a new policy that encourages researchers to report vulnerabilities so TTS can fix them in a timely fashion.

The guidance only applies to the following domains:,,, and Researchers who probe domains not listed in the guidance are not protected. In a recent blog post, 18F's Kimber Dowsett said officials plan to eventually include all agency-operated systems under the policy.

Researchers who come across personally identifiable, financial or proprietary government information are instructed to immediately alert TTS.

The guidelines also limit the use of exploits beyond what is necessary to verify a vulnerability, protect data confidentiality and avoid privacy violations. User interface bugs, denial-of-service tests and nontechnical vulnerability testing -- such as physical testing or social engineering -- are excluded from legal protection.

The policy states that all reports should include where the vulnerability was found, its potential impact, how to reproduce the vulnerability and any other helpful technical information.

TTS said it will accept reports submitted anonymously and might share the information with the U.S. Computer Emergency Readiness Team, affected parties and open-source projects.

Additionally, TTS has asked that security researchers wait 90 days before publicly disclosing a vulnerability they have reported.

The policy also states that if security researchers make a "good faith effort" to comply with its scope and guidelines, GSA will collaborate with researchers to resolve vulnerabilities and not pursue legal action.

TTS is not the first government agency to release a vulnerability reporting policy of this nature. The Defense Department recently unveiled a similar policy for all its public websites.

This article was first posted to FCW, a sister site to GCN.

About the Author

Chase Gunter is a former FCW staff writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected