[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2774 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 2774

   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              June 6, 2017

Mr. Ted Lieu of California (for himself and Mr. Taylor) introduced the 
    following bill; which was referred to the Committee on Homeland 
                                Security

_______________________________________________________________________

                                 A BILL


 
   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Hack the Department of Homeland 
Security Act of 2017'' or the ``Hack DHS Act''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM.

    (a) Definitions.--In this section:
            (1) Bug bounty program.--The term ``bug bounty program'' 
        means a program under which an approved computer security 
        specialist or security researcher is temporarily authorized to 
        identify and report vulnerabilities within the information 
        system of the Department in exchange for cash payment.
            (2) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (3) Information system.--The term ``information system'' 
        has the meaning given the term in section 3502 of title 44, 
        United States Code.
            (4) Pilot program.--The term ``pilot program'' means the 
        bug bounty pilot program required to be established under 
        subsection (b)(1).
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
    (b) Establishment of Pilot Program.--
            (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the Secretary shall establish a bug 
        bounty pilot program to minimize vulnerabilities to the 
        information systems of the Department.
            (2) Requirements.--In establishing the pilot program, the 
        Secretary shall--
                    (A) provide monetary compensations for reports of 
                previously unidentified security vulnerabilities within 
                the websites, applications, and other information 
                systems of the Department that are accessible to the 
                public;
                    (B) develop an expeditious process by which 
                computer security researchers can register for the 
                pilot program, submit to a background check as 
                determined by the Department, and receive a 
                determination as to approval for participation in the 
                pilot program;
                    (C) designate mission-critical operations within 
                the Department that should be excluded from the pilot 
                program;
                    (D) consult with the Attorney General on how to 
                ensure that computer security specialists and security 
                researchers who participate in the pilot program are 
                protected from prosecution under section 1030 of title 
                18, United States Code, and similar statues for 
                specific activities authorized under the pilot program;
                    (E) consult with the relevant offices at the 
                Department of Defense that were responsible for 
                launching the 2016 ``Hack the Pentagon'' pilot program 
                and subsequent Department of Defense bug bounty 
                programs;
                    (F) award competitive contracts as necessary to 
                manage the pilot program and for executing the 
                remediation of vulnerabilities identified as a 
                consequence of the pilot program; and
                    (G) engage interested persons, to include 
                commercial sector representatives, about the structure 
                of the pilot program as constructive and to the extent 
                practicable.
    (c) Report.--Not later than 90 days after the date on which the 
pilot program is completed, the Secretary shall submit to the Committee 
on Homeland Security and Governmental Affairs of the Senate and the 
Committee on Homeland Security of the House of Representatives a report 
on the pilot program, which shall include--
            (1) the number of computer security researchers who 
        registered, were approved, submitted security vulnerabilities, 
        and received monetary compensation;
            (2) the number and severity of previously unidentified 
        vulnerabilities reported as part of the pilot program;
            (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot program;
            (4) the average length of time between the reporting of 
        security vulnerabilities and remediation of the 
        vulnerabilities;
            (5) the average amount of money paid per unique 
        vulnerability submitted and the total amount of money paid to 
        security researchers under the pilot program; and
            (6) the lessons learned from the pilot program.
    (d) Authorization of Appropriations.--There are authorized to be 
appropriated to the Department $250,000 for fiscal year 2018 to carry 
out this Act.
                                 <all>