Hack the Department of Homeland Security Act of 2017 or the Hack DHS Act
This bill directs the Department of Homeland Security (DHS) to establish a bug bounty pilot program to minimize vulnerabilities to DHS information systems.
"Bug bounty program" is a program under which an approved computer security specialist or security researcher is temporarily authorized to identify and report vulnerabilities within DHS information systems in exchange for cash payment.
Under such program, DHS shall:
[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2774 Introduced in House (IH)]
<DOC>
115th CONGRESS
1st Session
H. R. 2774
To establish a bug bounty pilot program within the Department of
Homeland Security, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 6, 2017
Mr. Ted Lieu of California (for himself and Mr. Taylor) introduced the
following bill; which was referred to the Committee on Homeland
Security
_______________________________________________________________________
A BILL
To establish a bug bounty pilot program within the Department of
Homeland Security, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Hack the Department of Homeland
Security Act of 2017'' or the ``Hack DHS Act''.
SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM.
(a) Definitions.--In this section:
(1) Bug bounty program.--The term ``bug bounty program''
means a program under which an approved computer security
specialist or security researcher is temporarily authorized to
identify and report vulnerabilities within the information
system of the Department in exchange for cash payment.
(2) Department.--The term ``Department'' means the
Department of Homeland Security.
(3) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(4) Pilot program.--The term ``pilot program'' means the
bug bounty pilot program required to be established under
subsection (b)(1).
(5) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(b) Establishment of Pilot Program.--
(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the Secretary shall establish a bug
bounty pilot program to minimize vulnerabilities to the
information systems of the Department.
(2) Requirements.--In establishing the pilot program, the
Secretary shall--
(A) provide monetary compensations for reports of
previously unidentified security vulnerabilities within
the websites, applications, and other information
systems of the Department that are accessible to the
public;
(B) develop an expeditious process by which
computer security researchers can register for the
pilot program, submit to a background check as
determined by the Department, and receive a
determination as to approval for participation in the
pilot program;
(C) designate mission-critical operations within
the Department that should be excluded from the pilot
program;
(D) consult with the Attorney General on how to
ensure that computer security specialists and security
researchers who participate in the pilot program are
protected from prosecution under section 1030 of title
18, United States Code, and similar statues for
specific activities authorized under the pilot program;
(E) consult with the relevant offices at the
Department of Defense that were responsible for
launching the 2016 ``Hack the Pentagon'' pilot program
and subsequent Department of Defense bug bounty
programs;
(F) award competitive contracts as necessary to
manage the pilot program and for executing the
remediation of vulnerabilities identified as a
consequence of the pilot program; and
(G) engage interested persons, to include
commercial sector representatives, about the structure
of the pilot program as constructive and to the extent
practicable.
(c) Report.--Not later than 90 days after the date on which the
pilot program is completed, the Secretary shall submit to the Committee
on Homeland Security and Governmental Affairs of the Senate and the
Committee on Homeland Security of the House of Representatives a report
on the pilot program, which shall include--
(1) the number of computer security researchers who
registered, were approved, submitted security vulnerabilities,
and received monetary compensation;
(2) the number and severity of previously unidentified
vulnerabilities reported as part of the pilot program;
(3) the number of previously unidentified security
vulnerabilities remediated as a result of the pilot program;
(4) the average length of time between the reporting of
security vulnerabilities and remediation of the
vulnerabilities;
(5) the average amount of money paid per unique
vulnerability submitted and the total amount of money paid to
security researchers under the pilot program; and
(6) the lessons learned from the pilot program.
(d) Authorization of Appropriations.--There are authorized to be
appropriated to the Department $250,000 for fiscal year 2018 to carry
out this Act.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Homeland Security.
Referred to the Subcommittee on Cybersecurity and Infrastructure Protection.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line