TTS Bug Bounty Program
TTS administers a Bug Bounty Program for the public to report vulnerabilities in TTS systems.
How it works
- Security researchers submit reports based on program policy
- H1 staff triage the report
- You confirm the report and award the bounty
- You publish a fix to production and resolve the report
- (optional) The researcher confirms the fix
- (optional) Disclose the report
Security researchers review the program policy for what systems are in scope of the Bug Bounty Program and rules of behavior.
Researchers report to the Bug Bounty Program where H1 staff do the initial triage.
Once Triaged, the report will be assigned to your group (H1 term for team) for you to confirm. You can ask H1 staff or the researcher for any clarification, or help if you’re having trouble reproducing the issue.
Once confirmed, you can award the bounty. You don’t need to wait until the issue is resolved to award.
When the fix has been released to production, you can close the report as Resolved and include a link to the commit or pull request containing the fix.
The researcher can optionally validate the fix is correct.
We encourage programs to disclose reports and redact any sensitive information when necessary.
By default, H1 sends notifications for every report to the TTS Bug Bounty program but you probably only want to receive reports related to your system.
In your notification settings, under the TTS Bug Bounty, select “Reports where I’m assigned, I interact, or I’m mentioned”.
Then, under “Notify me about…”, at least enable notifications for:
- Mentions (anywhere)
- Report Updates
- Comments by hackers
- Comments by program staff
Subscribe to program changes by clicking the “Subscribe” button in order to be notified of changes to the program policy.
How do I add a team member to my bug bounty program?
Any administration requests can be made in #bug-bounty. Please include:
- team member’s email address
- bug bounty group (your program)
@bugbounty-admins if urgent.
How do I award the bounty?
Make sure the CVSS score and severity are correct. This is what determines the award amount based on the bounty tables.
The bounty must be awarded by the Contracting Officer Representative (COR). Please post an internal comment on the report “Please award” and the COR will award the bounty.
How do I mark a report as Resolved?
Above the comment field is a drop-down with several actions and defaults to “Add comment”. Select “Close report” > “Resolved”.
Who is the Vulnerability Disclosure Lead?
The Vulnerability Disclosure Lead is an assigned member of the Tech Portfolio.
Invite the user from the user management admin screen.