[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 1281 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  1st Session
                                S. 1281

   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 25, 2017

 Ms. Hassan (for herself, Mr. Portman, Mrs. McCaskill, and Ms. Harris) 
introduced the following bill; which was read twice and referred to the 
        Committee on Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Hack the Department of Homeland 
Security Act of 2017'' or the ``Hack DHS Act''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM.

    (a) Definitions.--In this section:
            (1) Bug bounty program.--The term ``bug bounty program'' 
        means a program under which an approved computer security 
        specialist or security researcher is temporarily authorized to 
        identify and report vulnerabilities within the information 
        system of the Department in exchange for cash payment.
            (2) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (3) Information system.--The term ``information system'' 
        has the meaning given the term in section 3502 of title 44, 
        United States Code.
            (4) Pilot program.--The term ``pilot program'' means the 
        bug bounty pilot program required to be established under 
        subsection (b)(1).
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
    (b) Establishment of Pilot Program.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Secretary shall establish a bug 
        bounty pilot program to minimize vulnerabilities to the 
        information systems of the Department.
            (2) Requirements.--In establishing the pilot program, the 
        Secretary shall--
                    (A) provide monetary compensation for reports of 
                previously unidentified security vulnerabilities within 
                the websites, applications, and other information 
                systems of the Department that are accessible to the 
                public;
                    (B) develop an expeditious process by which 
                computer security researchers can register with the 
                Department, submit to a background check as determined 
                by the Department, and receive a determination as to 
                approval for participation in the pilot program;
                    (C) designate mission-critical operations within 
                the Department that should be excluded from the pilot 
                program;
                    (D) consult with the Attorney General on how to 
                ensure that computer security specialists and security 
                researchers who participate in the pilot program are 
                protected from prosecution under section 1030 of title 
                18, United States Code, and similar provisions of law 
                for specific activities authorized under the pilot 
                program;
                    (E) consult with the relevant offices at the 
                Department of Defense that were responsible for 
                launching the 2016 ``Hack the Pentagon'' pilot program 
                and subsequent Department of Defense bug bounty 
                programs;
                    (F) award competitive contracts as necessary to 
                manage the pilot program and for executing the 
                remediation of vulnerabilities identified as a 
                consequence of the pilot program; and
                    (G) engage interested persons, including commercial 
                sector representatives, about the structure of the 
                pilot program as constructive and to the extent 
                practicable.
    (c) Report.--Not later than 90 days after the date on which the 
pilot program is completed, the Secretary of Homeland Security shall 
submit to the Committee on Homeland Security and Governmental Affairs 
of the Senate and the Committee on Homeland Security of the House of 
Representatives a report on the pilot program, which shall include--
            (1) the number of computer security researchers involved in 
        the pilot program, broken down by the number of computer 
        security researchers who--
                    (A) registered;
                    (B) were approved;
                    (C) submitted security vulnerabilities; and
                    (D) received monetary compensation;
            (2) the number and severity of previously unidentified 
        vulnerabilities reported as part of the pilot program;
            (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot program;
            (4) the average length of time between the reporting of 
        security vulnerabilities and remediation of the 
        vulnerabilities;
            (5) the average amount of monetary compensation paid per 
        unique vulnerability submitted under the pilot program and the 
        total amount of monetary compensation paid to computer security 
        researchers under the pilot program; and
            (6) the lessons learned from the pilot program.
    (d) Authorization of Appropriations.--There are authorized to be 
appropriated to the Department $250,000 for fiscal year 2018 to carry 
out this Act.
                                 <all>