[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 1281 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 335
115th CONGRESS
  2d Session
                                S. 1281

                          [Report No. 115-209]

   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 25, 2017

 Ms. Hassan (for herself, Mr. Portman, Mrs. McCaskill, Ms. Harris, and 
 Mr. Gardner) introduced the following bill; which was read twice and 
referred to the Committee on Homeland Security and Governmental Affairs

                           February 26, 2018

               Reported by Mr. Johnson, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Hack the Department of 
Homeland Security Act of 2017'' or the ``Hack DHS Act''.</DELETED>

<DELETED>SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT 
              PROGRAM.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Bug bounty program.--The term ``bug bounty 
        program'' means a program under which an approved computer 
        security specialist or security researcher is temporarily 
        authorized to identify and report vulnerabilities within the 
        information system of the Department in exchange for cash 
        payment.</DELETED>
        <DELETED>    (2) Department.--The term ``Department'' means the 
        Department of Homeland Security.</DELETED>
        <DELETED>    (3) Information system.--The term ``information 
        system'' has the meaning given the term in section 3502 of 
        title 44, United States Code.</DELETED>
        <DELETED>    (4) Pilot program.--The term ``pilot program'' 
        means the bug bounty pilot program required to be established 
        under subsection (b)(1).</DELETED>
        <DELETED>    (5) Secretary.--The term ``Secretary'' means the 
        Secretary of Homeland Security.</DELETED>
<DELETED>    (b) Establishment of Pilot Program.--</DELETED>
        <DELETED>    (1) In general.--Not later than 180 days after the 
        date of enactment of this Act, the Secretary shall establish a 
        bug bounty pilot program to minimize vulnerabilities to the 
        information systems of the Department.</DELETED>
        <DELETED>    (2) Requirements.--In establishing the pilot 
        program, the Secretary shall--</DELETED>
                <DELETED>    (A) provide monetary compensation for 
                reports of previously unidentified security 
                vulnerabilities within the websites, applications, and 
                other information systems of the Department that are 
                accessible to the public;</DELETED>
                <DELETED>    (B) develop an expeditious process by 
                which computer security researchers can register with 
                the Department, submit to a background check as 
                determined by the Department, and receive a 
                determination as to approval for participation in the 
                pilot program;</DELETED>
                <DELETED>    (C) designate mission-critical operations 
                within the Department that should be excluded from the 
                pilot program;</DELETED>
                <DELETED>    (D) consult with the Attorney General on 
                how to ensure that computer security specialists and 
                security researchers who participate in the pilot 
                program are protected from prosecution under section 
                1030 of title 18, United States Code, and similar 
                provisions of law for specific activities authorized 
                under the pilot program;</DELETED>
                <DELETED>    (E) consult with the relevant offices at 
                the Department of Defense that were responsible for 
                launching the 2016 ``Hack the Pentagon'' pilot program 
                and subsequent Department of Defense bug bounty 
                programs;</DELETED>
                <DELETED>    (F) award competitive contracts as 
                necessary to manage the pilot program and for executing 
                the remediation of vulnerabilities identified as a 
                consequence of the pilot program; and</DELETED>
                <DELETED>    (G) engage interested persons, including 
                commercial sector representatives, about the structure 
                of the pilot program as constructive and to the extent 
                practicable.</DELETED>
<DELETED>    (c) Report.--Not later than 90 days after the date on 
which the pilot program is completed, the Secretary of Homeland 
Security shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on Homeland 
Security of the House of Representatives a report on the pilot program, 
which shall include--</DELETED>
        <DELETED>    (1) the number of computer security researchers 
        involved in the pilot program, broken down by the number of 
        computer security researchers who--</DELETED>
                <DELETED>    (A) registered;</DELETED>
                <DELETED>    (B) were approved;</DELETED>
                <DELETED>    (C) submitted security vulnerabilities; 
                and</DELETED>
                <DELETED>    (D) received monetary 
                compensation;</DELETED>
        <DELETED>    (2) the number and severity of previously 
        unidentified vulnerabilities reported as part of the pilot 
        program;</DELETED>
        <DELETED>    (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot 
        program;</DELETED>
        <DELETED>    (4) the average length of time between the 
        reporting of security vulnerabilities and remediation of the 
        vulnerabilities;</DELETED>
        <DELETED>    (5) the average amount of monetary compensation 
        paid per unique vulnerability submitted under the pilot program 
        and the total amount of monetary compensation paid to computer 
        security researchers under the pilot program; and</DELETED>
        <DELETED>    (6) the lessons learned from the pilot 
        program.</DELETED>
<DELETED>    (d) Authorization of Appropriations.--There are authorized 
to be appropriated to the Department $250,000 for fiscal year 2018 to 
carry out this Act.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Hack the Department of Homeland 
Security Act of 2017'' or the ``Hack DHS Act''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM.

    (a) Definitions.--In this section:
            (1) Bug bounty program.--The term ``bug bounty program'' 
        means a program under which an approved individual, 
        organization, or company is temporarily authorized to identify 
        and report vulnerabilities of Internet-facing information 
        technology of the Department in exchange for compensation.
            (2) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (3) Information technology.--The term ``information 
        technology'' has the meaning given the term in section 11101 of 
        title 40, United States Code.
            (4) Pilot program.--The term ``pilot program'' means the 
        bug bounty pilot program required to be established under 
        subsection (b)(1).
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
    (b) Establishment of Pilot Program.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Secretary shall establish, within 
        the Office of the Chief Information Officer, a bug bounty pilot 
        program to minimize vulnerabilities of Internet-facing 
        information technology of the Department.
            (2) Requirements.--In establishing the pilot program, the 
        Secretary shall--
                    (A) provide compensation for reports of previously 
                unidentified security vulnerabilities within the 
                websites, applications, and other Internet-facing 
                information technology of the Department that are 
                accessible to the public;
                    (B) award a competitive contract to an entity, as 
                necessary, to manage the pilot program and for 
                executing the remediation of vulnerabilities identified 
                as a consequence of the pilot program;
                    (C) designate mission-critical operations within 
                the Department that should be excluded from the pilot 
                program;
                    (D) consult with the Attorney General on how to 
                ensure that approved individuals, organizations, or 
                companies that comply with the requirements of the 
                pilot program are protected from prosecution under 
                section 1030 of title 18, United States Code, and 
                similar provisions of law for specific activities 
                authorized under the pilot program;
                    (E) consult with the relevant offices at the 
                Department of Defense that were responsible for 
                launching the 2016 ``Hack the Pentagon'' pilot program 
                and subsequent Department of Defense bug bounty 
                programs;
                    (F) develop an expeditious process by which an 
                approved individual, organization, or company can 
                register with the entity described in subparagraph (B), 
                submit to a background check as determined by the 
                Department, and receive a determination as to 
                eligibility for participation in the pilot program; and
                    (G) engage qualified interested persons, including 
                non-government sector representatives, about the 
                structure of the pilot program as constructive and to 
                the extent practicable.
    (c) Report.--Not later than 90 days after the date on which the 
pilot program is completed, the Secretary of Homeland Security shall 
submit to the Committee on Homeland Security and Governmental Affairs 
of the Senate and the Committee on Homeland Security of the House of 
Representatives a report on the pilot program, which shall include--
            (1) the number of approved individuals, organizations, or 
        companies involved in the pilot program, broken down by the 
        number of approved individuals, organizations, or companies 
        that--
                    (A) registered;
                    (B) were approved;
                    (C) submitted security vulnerabilities; and
                    (D) received compensation;
            (2) the number and severity of vulnerabilities reported as 
        part of the pilot program;
            (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot program;
            (4) the current number of outstanding previously 
        unidentified security vulnerabilities and Department 
        remediation plans;
            (5) the average length of time between the reporting of 
        security vulnerabilities and remediation of the 
        vulnerabilities;
            (6) the types of compensation provided under the pilot 
        program; and
            (7) the lessons learned from the pilot program.
    (d) Authorization of Appropriations.--There are authorized to be 
appropriated to the Department $250,000 for fiscal year 2018 to carry 
out this Act.
                                                       Calendar No. 335

115th CONGRESS

  2d Session

                                S. 1281

                          [Report No. 115-209]

_______________________________________________________________________

                                 A BILL

   To establish a bug bounty pilot program within the Department of 
               Homeland Security, and for other purposes.

_______________________________________________________________________

                           February 26, 2018

                       Reported with an amendment