[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3868 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 3868

 To establish a bug bounty pilot program within the Department of the 
                   Treasury, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 28, 2017

   Mr. Budd introduced the following bill; which was referred to the 
 Committee on Financial Services, and in addition to the Committee on 
   Ways and Means, for a period to be subsequently determined by the 
  Speaker, in each case for consideration of such provisions as fall 
           within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To establish a bug bounty pilot program within the Department of the 
                   Treasury, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Treasury Innovation Act''.

SEC. 2. DEPARTMENT OF THE TREASURY BUG BOUNTY PILOT PROGRAM.

    (a) Definitions.--In this section:
            (1) Bug bounty pilot program.--The term ``bug bounty pilot 
        program'' means a program under which an approved computer 
        security specialist or security researcher is temporarily 
        authorized to identify and report vulnerabilities within the 
        information system of the Department in exchange for cash 
        payment.
            (2) Department.--The term ``Department'' means the 
        Department of the Treasury.
            (3) Information system.--The term ``information system'' 
        has the meaning given the term in section 3502 of title 44, 
        United States Code.
            (4) Pilot program.--The term ``pilot program'' means the 
        bug bounty pilot program required to be established under 
        subsection (b)(1).
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of the Treasury.
    (b) Establishment of Pilot Program.--
            (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the Secretary shall establish a bug 
        bounty pilot program to minimize vulnerabilities to the 
        information systems of the Department.
            (2) Requirements.--In establishing the pilot program, the 
        Secretary shall--
                    (A) provide monetary compensations for reports of 
                previously unidentified security vulnerabilities within 
                the websites, applications, and other information 
                systems of the Department that are accessible to the 
                public;
                    (B) develop an expeditious process by which 
                computer security researchers can register for the 
                pilot program, submit to a background check as 
                determined by the Department, and receive a 
                determination as to approval for participation in the 
                pilot program;
                    (C) designate mission-critical operations within 
                the Department that should be excluded from the pilot 
                program;
                    (D) consult with the Attorney General on how to 
                ensure that computer security specialists and security 
                researchers who participate in the pilot program are 
                protected from prosecution under section 1030 of title 
                18, United States Code, and similar laws for specific 
                activities authorized under the pilot program;
                    (E) consult with the relevant offices at the 
                Department of Defense that were responsible for 
                launching the 2016 ``Hack the Pentagon'' pilot program 
                and subsequent similar programs at the Department of 
                Defense;
                    (F) award competitive contracts as necessary to 
                manage the pilot program and for executing the 
                remediation of vulnerabilities identified as a 
                consequence of the pilot program; and
                    (G) engage interested persons, to include 
                commercial sector representatives, about the structure 
                of the pilot program as constructive and to the extent 
                practicable.
    (c) Report.--Not later than 90 days after the date on which the 
pilot program is completed, the Secretary shall submit to the Committee 
on Financial Services of the House of Representatives and the Committee 
on Banking, Housing, and Urban Affairs of the Senate a report on the 
pilot program, which shall include--
            (1) the number of computer security researchers who 
        registered, were approved, submitted security vulnerabilities, 
        and received monetary compensation;
            (2) the number and severity of previously unidentified 
        vulnerabilities reported as part of the pilot program;
            (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot program;
            (4) the average length of time between the reporting of 
        security vulnerabilities and remediation of the 
        vulnerabilities;
            (5) the average amount of money paid per unique 
        vulnerability submitted and the total amount of money paid to 
        security researchers under the pilot program; and
            (6) the lessons learned from the pilot program.
    (d) Authorization of Appropriations.--There is authorized to be 
appropriated to the Secretary of the Treasury $100,000 for fiscal year 
2019 to carry out this Act.
                                 <all>