Guidelines for bug reporting
- By Chase Gunter
- Nov 30, 2016
Security researchers who find vulnerabilities in government websites now have a way to report them without fear of prosecution for unauthorized use of government information systems.
The General Services Administration's Technology Transformation Service has released a new policy that encourages researchers to report vulnerabilities so TTS can fix them in a timely fashion.
The guidance only applies to the following domains: vote.gov, analytics.usa.gov, calc.gsa.gov, micropurchase.18f.gov and 18f.gsa.gov. Researchers who probe domains not listed in the guidance are not protected. In a recent blog post, 18F's Kimber Dowsett said officials plan to eventually include all agency-operated systems under the policy.
Researchers who come across personally identifiable, financial or proprietary government information are instructed to immediately alert TTS.
The guidelines also limit the use of exploits beyond what is necessary to verify a vulnerability, protect data confidentiality and avoid privacy violations. User interface bugs, denial-of-service tests and nontechnical vulnerability testing -- such as physical testing or social engineering -- are excluded from legal protection.
The policy states that all reports should include where the vulnerability was found, its potential impact, how to reproduce the vulnerability and any other helpful technical information.
TTS said it will accept reports submitted anonymously and might share the information with the U.S. Computer Emergency Readiness Team, affected parties and open-source projects.
Additionally, TTS has asked that security researchers wait 90 days before publicly disclosing a vulnerability they have reported.
The policy also states that if security researchers make a "good faith effort" to comply with its scope and guidelines, GSA will collaborate with researchers to resolve vulnerabilities and not pursue legal action.
TTS is not the first government agency to release a vulnerability reporting policy of this nature. The Defense Department recently unveiled a similar policy for all its public websites.
This article was first posted to FCW, a sister site to GCN.
Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.
Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.
Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.
Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter