S 1281 Introduced – DHS Bug Bounty

Last month Sen. Hassan (D,NH) introduced S 1281 the Hack the Department of Homeland Security (Hack DHS) Act of 2017. The bill would require DHS to set up a pilot program to establish a bug bounty program to minimize vulnerabilities to the information systems of the Department.

Pilot Program

The bill would require the pilot program include registration and background checks for those security researchers participating in the program. It would provide for bounties to be paid “for reports of previously unidentified security vulnerabilities within the websites, applications, and other information systems of the Department that are accessible to the public” {§2(b)(2)(A)}. The program would be patterned on the DOD’s “Hack the Pentagon” program.

The bill authorizes $250,000 for the pilot program. Since the bill calls for letting competitive contracts for both running the program and remediating the vulnerabilities reported, it is not clear if these funds are for the administrative costs or the bounties. In either case, the amount seems low.

This bill is definitely IT centric as it uses the limited definition of ‘information systems’ found at 44 USC 3502(8). Thus, it would seem to exclude building control systems and security systems used by the Department. Additionally, DHS is required to designate ‘mission critical’ operations within the Department that would be exempt from the program.

Moving Forward

Hassan is not [corrected 10-4-17, 8:45 EDT] on the Homeland Security and Governmental Affairs Committee to which this bill has been assigned for consideration. All three of her cosponsors are (with two being fairly high-ranking Democrats) so there is a distinct possibility that the bill could be considered in Committee.

I do not see anything within the bill that would engender any significant opposition to the bill, either in committee or on the floor of the Senate.

Commentary

The one thing missing from this bill is any discussion about the publication of the vulnerabilities reported in the program. Presumably, most of the software involved will be commercial software, so there would be a public interest in having coordinated disclosures of the vulnerabilities in publicly available software. Disclosures in DHS custom or proprietary software could certainly be argued against.

An interesting point is raised in this bill. Section 2(b)(2)(B) specifically requires the Department to “consult with the Attorney General on how to ensure that computer security specialists and security researchers who participate in the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law for specific activities authorized under the pilot program”.

This strikes me as a tad bit paranoid since the researchers are having to register with DHS to participate in the program. This means that they would be accessing the systems with permission which would preclude prosecution under §1030. That some researchers would request specific written permission with §1030 in mind would be understandable (security researchers should be paranoid), but for this verbiage to be included in the bill would seem to indicate an unusual level of paranoia in a Senate staffer (they write the bills in most cases) or someone is trying to make points with the cybersecurity community.