Text: H.R.2774 — 115th Congress (2017-2018)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in House (06/06/2017)

1st Session
H. R. 2774

To establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes.


June 6, 2017

Mr. Ted Lieu of California (for himself and Mr. Taylor) introduced the following bill; which was referred to the Committee on Homeland Security


To establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Hack the Department of Homeland Security Act of 2017” or the “Hack DHS Act”.

SEC. 2. Department of Homeland Security bug bounty pilot program.

(a) Definitions.—In this section:

(1) BUG BOUNTY PROGRAM.—The term “bug bounty program” means a program under which an approved computer security specialist or security researcher is temporarily authorized to identify and report vulnerabilities within the information system of the Department in exchange for cash payment.

(2) DEPARTMENT.—The term “Department” means the Department of Homeland Security.

(3) INFORMATION SYSTEM.—The term “information system” has the meaning given the term in section 3502 of title 44, United States Code.

(4) PILOT PROGRAM.—The term “pilot program” means the bug bounty pilot program required to be established under subsection (b)(1).

(5) SECRETARY.—The term “Secretary” means the Secretary of Homeland Security.

(b) Establishment of pilot program.—

(1) IN GENERAL.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall establish a bug bounty pilot program to minimize vulnerabilities to the information systems of the Department.

(2) REQUIREMENTS.—In establishing the pilot program, the Secretary shall—

(A) provide monetary compensations for reports of previously unidentified security vulnerabilities within the websites, applications, and other information systems of the Department that are accessible to the public;

(B) develop an expeditious process by which computer security researchers can register for the pilot program, submit to a background check as determined by the Department, and receive a determination as to approval for participation in the pilot program;

(C) designate mission-critical operations within the Department that should be excluded from the pilot program;

(D) consult with the Attorney General on how to ensure that computer security specialists and security researchers who participate in the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar statues for specific activities authorized under the pilot program;

(E) consult with the relevant offices at the Department of Defense that were responsible for launching the 2016 “Hack the Pentagon” pilot program and subsequent Department of Defense bug bounty programs;

(F) award competitive contracts as necessary to manage the pilot program and for executing the remediation of vulnerabilities identified as a consequence of the pilot program; and

(G) engage interested persons, to include commercial sector representatives, about the structure of the pilot program as constructive and to the extent practicable.

(c) Report.—Not later than 90 days after the date on which the pilot program is completed, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the pilot program, which shall include—

(1) the number of computer security researchers who registered, were approved, submitted security vulnerabilities, and received monetary compensation;

(2) the number and severity of previously unidentified vulnerabilities reported as part of the pilot program;

(3) the number of previously unidentified security vulnerabilities remediated as a result of the pilot program;

(4) the average length of time between the reporting of security vulnerabilities and remediation of the vulnerabilities;

(5) the average amount of money paid per unique vulnerability submitted and the total amount of money paid to security researchers under the pilot program; and

(6) the lessons learned from the pilot program.

(d) Authorization of appropriations.—There are authorized to be appropriated to the Department $250,000 for fiscal year 2018 to carry out this Act.