The General Services Administration’s (GSA) in-house technology service, 18F, has announced new vulnerability disclosure policies for its parent organization, the Technology Transformation Service (TTS), to enable security researchers to more easily report vulnerabilities on TTS-operated systems.
“We want a clear reporting path for security researchers to tell us about vulnerabilities on our systems, and we want researchers who coordinate with us to resolve these vulnerabilities to have assurances that we won’t pursue legal action against them,” 18F wrote in the press release announcing the policy.
The new policy allows researchers to report discovered vulnerabilities through an online reporting form or through email and ensures that researchers won’t be charged with a crime as long as they follow the rules established in the policy.
“We also recognize that some researchers hesitate to participate in vulnerability disclosure at a Federal level for fear of prosecution under the Computer Fraud and Abuse Act (CFAA), which governs the unauthorized use of information systems,” the release said. “Our vulnerability disclosure policy is direct: if a researcher makes a good faith effort to comply with our policy and its scope, then we consider their use authorized, and the General Services Administration won’t initiate or recommend legal action against them.”
18F applauded vulnerability disclosure policies established in other agencies, such as the Department of Defense, and encouraged agencies without policies to consider establishing them.
“At the end of the day, we all have the same goal: Secure all the things! We’re excited to work with the security community, and look forward to your feedback and your reports!” the release said.