The General Services Administration's innovation arm, 18F, said the agency was edging closer to standing up its own bug bounty program after tapping a new provider for its reporting platform.
18F officials said in a May 11 blog post that GSA's Technology Transformation Service had tapped HackerOne to provide its Software-as-a-Service bug-reporting platform.
The San Francisco-based company offers vulnerability coordination and platform services to reward ethical hackers to locate and report network security vulnerabilities.
The GSA's bug bounty platform would represent the first use of an ethical hacking program by a civilian agency in the federal government.
Bug bounty programs have been gaining steam in the federal government after the Department of Defense's successful "Hack the Pentagon" and "Hack the Army" exercises in 2016.
GSA issued a solicitation for a bug bounty platform in January, calling for a SaaS to "allow TTS to manage and track issues across multiple public web applications, triage services for those reported vulnerabilities, disburse rewards for effective vulnerabilities and explain the reasons behind rejections," and provide vulnerability, impact and monthly report services.
18F officials said that HackerOne would help set up bounties on "several TTS public-facing web applications" through its platform and will assess validity of the bug submissions.
The SaaS provider will then forward on the reports to active TTS components to correct the issues and the bug hunters will receive payouts running between $300 to $5,000.
TTS once the platform is in place, officials said they would look to extend it to most of its component websites and applications.