The General Services Administration’s Technology Transfer Service (TTS) has published a vulnerability disclosure policy which it says which lays out rules of the road for reporting vulnerabilities to various TTS-operated systems, including vote.gov, micropurchase.18f.gov., vote.gov, analytics.usa.gov and calc.gsa.gov.
According to the GSA, “there will always be more expertise outside our organization than on the inside,” and it wants these “outside” security researchers to help protect the government systems by reporting vulnerabilities.
Some researchers hesitate to participate in vulnerability disclosure at a federal level for fear of prosecution under the Computer Fraud and Abuse Act (CFAA), which governs the unauthorized use of information systems, but researchers who comply with GSA’s vulnerability disclosure policy may consider themselves “authorized,” said the GSA.
The Department of Defense also just publicly released their vulnerability disclosure policy for every public Defense web service. While GSA’s policy is not identical to theirs, they both have very similar language around legal authorization and meet the same goal of giving the public a way of legally reporting security vulnerabilities without the fear of prosecution.
The official document lives in GitHub. Those interested in commenting or suggesting a change to the policy may open a GitHub issue.