[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 1281 Reported in House (RH)]

<DOC>





                                                 Union Calendar No. 752
115th CONGRESS
  2d Session
                                S. 1281

                          [Report No. 115-964]


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 18, 2018

             Referred to the Committee on Homeland Security

                           September 25, 2018

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
 [For text of introduced bill, see copy of bill as introduced on April 
                               18, 2018]


_______________________________________________________________________

                                 An Act


 
   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Hack the Department of Homeland 
Security Act of 2018'' or the ``Hack DHS Act''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM.

    (a) Definitions.--In this section:
            (1) Bug bounty program.--The term ``bug bounty program'' 
        means a program under which--
                    (A) individuals, organizations, and companies are 
                temporarily authorized to identify and report 
                vulnerabilities of appropriate information systems of 
                the Department; and
                    (B) eligible individuals, organizations, and 
                companies receive compensation in exchange for such 
                reports.
            (2) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (3) Eligible individual, organization, or company.--The 
        term ``eligible individual, organization, or company'' means an 
        individual, organization, or company that meets such criteria 
        as the Secretary determines in order to receive compensation in 
        compliance with Federal laws.
            (4) Information system.--The term ``information system'' 
        has the meaning given that term by section 3502 of title 44, 
        United States Code.
            (5) Pilot program.--The term ``pilot program'' means the 
        bug bounty pilot program required to be established under 
        subsection (b)(1).
            (6) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
    (b) Establishment of Pilot Program.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Secretary shall establish, within 
        the Office of the Chief Information Officer, a bug bounty pilot 
        program to minimize vulnerabilities of appropriate information 
        systems of the Department.
            (2) Requirements.--In establishing and conducting the pilot 
        program, the Secretary shall--
                    (A) designate appropriate information systems to be 
                included in the pilot program;
                    (B) provide compensation to eligible individuals, 
                organizations, and companies for reports of previously 
                unidentified security vulnerabilities within the 
                information systems designated under subparagraph (A);
                    (C) establish criteria for individuals, 
                organizations, and companies to be considered eligible 
                for compensation under the pilot program in compliance 
                with Federal laws;
                    (D) consult with the Attorney General on how to 
                ensure that approved individuals, organizations, or 
                companies that comply with the requirements of the 
                pilot program are protected from prosecution under 
                section 1030 of title 18, United States Code, and 
                similar provisions of law, and civil lawsuits for 
                specific activities authorized under the pilot program;
                    (E) consult with the Secretary of Defense and the 
                heads of other departments and agencies that have 
                implemented programs to provide compensation for 
                reports of previously undisclosed vulnerabilities in 
                information systems, regarding lessons that may be 
                applied from such programs; and
                    (F) develop an expeditious process by which an 
                individual, organization, or company can register with 
                the Department, submit to a background check as 
                determined by the Department, and receive a 
                determination as to eligibility; and
                    (G) engage qualified interested persons, including 
                non-government sector representatives, about the 
                structure of the pilot program as constructive and to 
                the extent practicable.
            (3) Contract.--In establishing the pilot program, the 
        Secretary, subject to the availability of appropriations, may 
        award one or more competitive contracts to an entity, as 
        necessary, to manage the pilot program.
    (c) Report.--Not later than 180 days after the date on which the 
pilot program is completed, the Secretary of Homeland Security shall 
submit to the Committee on Homeland Security and Governmental Affairs 
of the Senate and the Committee on Homeland Security of the House of 
Representatives a report on the pilot program, which shall include--
            (1) the number of individuals, organizations, or companies 
        that participated in the pilot program, broken down by the 
        number of individuals, organizations, or companies that--
                    (A) registered;
                    (B) were determined eligible;
                    (C) submitted security vulnerabilities; and
                    (D) received compensation;
            (2) the number and severity of vulnerabilities reported as 
        part of the pilot program;
            (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot program;
            (4) the current number of outstanding previously 
        unidentified security vulnerabilities and Department 
        remediation plans;
            (5) the average length of time between the reporting of 
        security vulnerabilities and remediation of the 
        vulnerabilities;
            (6) the types of compensation provided under the pilot 
        program; and
            (7) the lessons learned from the pilot program.
    (d) Authorization of Appropriations.--There are authorized to be 
appropriated to the Department $250,000 for fiscal year 2019 to carry 
out this Act.
                                                 Union Calendar No. 752

115th CONGRESS

  2d Session

                                S. 1281

                          [Report No. 115-964]

_______________________________________________________________________

                                 An Act

   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.

_______________________________________________________________________

                           September 25, 2018

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed