115 S1281 RS: Hack DHS Act
U.S. Senate
2017-05-25
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.This Act may be cited as the Hack the Department of Homeland Security Act of 2017
or the Hack DHS Act
.
2.Department of Homeland Security Bug Bounty Pilot Program
(a)In this section: (1)The term bug bounty program means a program under which an approved computer security specialist or security researcher is temporarily authorized to identify and report vulnerabilities within the information system of the Department in exchange for cash payment.
(2)The term Department means the Department of Homeland Security. (3)The term information system has the meaning given the term in section 3502 of title 44, United States Code.
(4)The term pilot program means the bug bounty pilot program required to be established under subsection (b)(1). (5)The term Secretary means the Secretary of Homeland Security.
(b)Establishment of pilot program
(1)Not later than 180 days after the date of enactment of this Act, the Secretary shall establish a bug bounty pilot program to minimize vulnerabilities to the information systems of the Department.
(2)In establishing the pilot program, the Secretary shall— (A)provide monetary compensation for reports of previously unidentified security vulnerabilities within the websites, applications, and other information systems of the Department that are accessible to the public;
(B)develop an expeditious process by which computer security researchers can register with the Department, submit to a background check as determined by the Department, and receive a determination as to approval for participation in the pilot program;
(C)designate mission-critical operations within the Department that should be excluded from the pilot program;
(D)consult with the Attorney General on how to ensure that computer security specialists and security researchers who participate in the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law for specific activities authorized under the pilot program;
(E)consult with the relevant offices at the Department of Defense that were responsible for launching the 2016 Hack the Pentagon
pilot program and subsequent Department of Defense bug bounty programs;
(F)award competitive contracts as necessary to manage the pilot program and for executing the remediation of vulnerabilities identified as a consequence of the pilot program; and
(G)engage interested persons, including commercial sector representatives, about the structure of the pilot program as constructive and to the extent practicable.
(c)Not later than 90 days after the date on which the pilot program is completed, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the pilot program, which shall include—
(1)the number of computer security researchers involved in the pilot program, broken down by the number of computer security researchers who—
(A)registered; (B)were approved;
(C)submitted security vulnerabilities; and
(D)received monetary compensation; (2)the number and severity of previously unidentified vulnerabilities reported as part of the pilot program;
(3)the number of previously unidentified security vulnerabilities remediated as a result of the pilot program;
(4)the average length of time between the reporting of security vulnerabilities and remediation of the vulnerabilities;
(5)the average amount of monetary compensation paid per unique vulnerability submitted under the pilot program and the total amount of monetary compensation paid to computer security researchers under the pilot program; and
(6)the lessons learned from the pilot program. (d)Authorization of appropriationsThere are authorized to be appropriated to the Department $250,000 for fiscal year 2018 to carry out this Act.
1.This Act may be cited as the Hack the Department of Homeland Security Act of 2017
or the Hack DHS Act
. 2.Department of Homeland Security bug bounty pilot program (a)In this section:
(1)The term bug bounty program means a program under which an approved individual, organization, or company is temporarily authorized to identify and report vulnerabilities of Internet-facing information technology of the Department in exchange for compensation.
(2)The term Department means the Department of Homeland Security. (3)The term information technology has the meaning given the term in section 11101 of title 40, United States Code.
(4)The term pilot program means the bug bounty pilot program required to be established under subsection (b)(1). (5)The term Secretary means the Secretary of Homeland Security.
(b)Establishment of pilot program
(1)Not later than 180 days after the date of enactment of this Act, the Secretary shall establish, within the Office of the Chief Information Officer, a bug bounty pilot program to minimize vulnerabilities of Internet-facing information technology of the Department.
(2)In establishing the pilot program, the Secretary shall— (A)provide compensation for reports of previously unidentified security vulnerabilities within the websites, applications, and other Internet-facing information technology of the Department that are accessible to the public;
(B)award a competitive contract to an entity, as necessary, to manage the pilot program and for executing the remediation of vulnerabilities identified as a consequence of the pilot program;
(C)designate mission-critical operations within the Department that should be excluded from the pilot program;
(D)consult with the Attorney General on how to ensure that approved individuals, organizations, or companies that comply with the requirements of the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law for specific activities authorized under the pilot program;
(E)consult with the relevant offices at the Department of Defense that were responsible for launching the 2016 Hack the Pentagon
pilot program and subsequent Department of Defense bug bounty programs;
(F)develop an expeditious process by which an approved individual, organization, or company can register with the entity described in subparagraph (B), submit to a background check as determined by the Department, and receive a determination as to eligibility for participation in the pilot program; and
(G)engage qualified interested persons, including non-government sector representatives, about the structure of the pilot program as constructive and to the extent practicable.
(c)Not later than 90 days after the date on which the pilot program is completed, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the pilot program, which shall include—
(1)the number of approved individuals, organizations, or companies involved in the pilot program, broken down by the number of approved individuals, organizations, or companies that—
(A)registered; (B)were approved;
(C)submitted security vulnerabilities; and (D)received compensation;
(2)the number and severity of vulnerabilities reported as part of the pilot program; (3)the number of previously unidentified security vulnerabilities remediated as a result of the pilot program;
(4)the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans;
(5)the average length of time between the reporting of security vulnerabilities and remediation of the vulnerabilities;
(6)the types of compensation provided under the pilot program; and (7)the lessons learned from the pilot program.
(d)Authorization of appropriationsThere are authorized to be appropriated to the Department $250,000 for fiscal year 2018 to carry out this Act.February 26, 2018Reported with an amendment