Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

TTS Bug Bounty Program

TTS administers a Bug Bounty Program for the public to report vulnerabilities in TTS systems.

How it works

  1. Security researchers submit reports based on program policy
  2. H1 staff triage the report
  3. You confirm the report and award the bounty
  4. You publish a fix to production and resolve the report
  5. (optional) The researcher confirms the fix
  6. (optional) Disclose the report

Security researchers review the program policy for what systems are in scope of the Bug Bounty Program and rules of behavior.

Researchers report to the Bug Bounty Program where H1 staff do the initial triage.

Once Triaged, the report will be assigned to your group (H1 term for team) for you to confirm. You can ask H1 staff or the researcher for any clarification, or help if you’re having trouble reproducing the issue.

Once confirmed, you can award the bounty. You don’t need to wait until the issue is resolved to award.

When the fix has been released to production, you can close the report as Resolved and include a link to the commit or pull request containing the fix.

The researcher can optionally validate the fix is correct.

We encourage programs to disclose reports and redact any sensitive information when necessary.

Notifications

By default, H1 sends notifications for every report to the TTS Bug Bounty program but you probably only want to receive reports related to your system.

In your notification settings, under the TTS Bug Bounty, select “Reports where I’m assigned, I interact, or I’m mentioned”.

Screenshot of the TTS Bug Bounty notification preferences

Then, under “Notify me about…”, at least enable notifications for:

  • Mentions (anywhere)
  • Report Updates
  • Comments by hackers
  • Comments by program staff

Subscribe to program changes by clicking the “Subscribe” button in order to be notified of changes to the program policy.

Screenshot of the program subscription button

How do I add a team member to my bug bounty program?

Any administration requests can be made in #bug-bounty. Please include:

  • team member’s email address
  • bug bounty group (your program)

Ping @bugbounty-admins if urgent.

How do I award the bounty?

Make sure the CVSS score and severity are correct. This is what determines the award amount based on the bounty tables.

The bounty must be awarded by the Contracting Officer Representative (COR). Please post an internal comment on the report “Please award” and the COR will award the bounty.

How do I mark a report as Resolved?

Above the comment field is a drop-down with several actions and defaults to “Add comment”. Select “Close report” > “Resolved”.

Screenshot showing actions menu on the report screen

Who is the Vulnerability Disclosure Lead?

The Vulnerability Disclosure Lead is an assigned member of the Tech Portfolio.

For admins

Invite the user from the user management admin screen.

Questions?