18F/18f.gsa.gov

---
title: "A vulnerability disclosure policy for the Technology Transformation Service"
authors:
- kimberdowsett
tags:
- security
- technology transformation services
excerpt: "We’ve published a vulnerability disclosure policy for 18F's parent organization, GSA's Technology Transformation Service, which lays out rules of the road for reporting vulnerabilities to various TTS-operated systems. We want a clear path for security researchers to tell us about vulnerabilities on our systems, and to assure those researchers that we won’t pursue legal action against them."
image: /assets/blog/security/vulns.jpg
---

*“Where there is great power, there is great responsibility.” - Winston
Churchill, 1906*

We want a clear reporting path for security researchers to tell us about
vulnerabilities on our systems, and we want researchers who coordinate
with us to resolve these vulnerabilities to have assurances that we
won't pursue legal action against them.

To do this, we’ve published a [vulnerability disclosure
policy](https://18f.gsa.gov/vulnerability-disclosure-policy/) for 18F's parent organization, GSA's
[Technology Transformation Service (TTS)](https://gsa.gov/tts), which
lays out rules of the road for reporting vulnerabilities to various
TTS-operated systems, such as [vote.gov](https://vote.gov/) and
[micropurchase.18f.gov](https://micropurchase.18f.gov/). We plan to update
the scope to include all TTS-operated systems in the near future.

While our projects already adhere to strict security standards, we're
not perfect. There will always be more expertise outside our
organization than on the inside, and outside security researchers should
feel just as welcome in raising a "red flag" as our own staff. What's
most important is that we protect the government's systems and the
information the public entrusts to them. We don't care who submits a
vulnerability, we just want to fix it as soon as possible.

We also recognize that some researchers hesitate to participate in
vulnerability disclosure at a federal level for fear of prosecution
under the [Computer Fraud and Abuse
Act](https://www.law.cornell.edu/uscode/text/18/1030) (CFAA), which
governs the unauthorized use of information systems.

Our vulnerability disclosure policy is direct: if a researcher makes a
good faith effort to comply with our policy and its scope, then we
consider their use **authorized**, and the General Services
Administration won't initiate or recommend legal action against them.

To report a vulnerability, make sure you’ve read the policy, and contact
us at
[tts-vulnerability-reports@gsa.gov](mailto:tts-vulnerability-reports@gsa.gov)
or through
[this reporting form](https://docs.google.com/forms/d/e/1FAIpQLSdhr6REOq8QRZ3C2cRWVHWbjcGgdNL8_nVSGY1cBSl1-tfkWA/viewform).
Reports may be submitted anonymously. We’re still in our early
stages, so if you have an idea on how to improve our policy, or have a
question, [submit a pull request or open an issue on
](https://github.com/18F/vulnerability-disclosure-policy)[GitHub](https://github.com/18F/vulnerability-disclosure-policy).

We also want to acknowledge the great work done by our colleagues at the
Department of Defense, who just [publicly
released](http://www.defense.gov/News/News-Releases/News-Release-View/Article/1009956/dod-announces-digital-vulnerability-disclosure-policy-and-hack-the-army-kick-off)
their [vulnerability disclosure policy for every public Defense web
service](https://hackerone.com/deptofdefense). While our policy is not
identical to theirs, they both have very similar language around legal
authorization and meet the same goal: clearing the way for members of
the public to help secure their government’s systems.

We hope our vulnerability disclosure policy can serve as an example to
other government agencies, giving researchers the confidence and
enthusiasm to help improve the security of public systems. At the end of
the day, we all have the same goal: *Secure all the things!* We're
excited to work with the security community, and look forward to your
feedback and your reports!