Skip to main content
U.S. flag

An official website of the United States government

TTS Bug Bounty Program

GSA administers a Bug Bounty Program for the public to report vulnerabilities in all GSA systems, including those operated by TTS.

How it works

  1. Security researchers submit reports based on program policy
  2. H1 staff triage the report
  3. GSA SecOps works with you to confirm the report
  4. GSA SecOps awards a bounty based on the severity of the vulnerability and the specific system
  5. You publish a fix to production and resolve the report
  6. (optional) The researcher confirms the fix
  7. (optional) Disclose the report

Security researchers review the program policy for what systems are in scope of the Bug Bounty Program and rules of behavior.

Researchers report to the Bug Bounty Program where H1 staff do the initial triage.

Once triaged, the report will be assigned to GSA SecOps to investigate. GSA SecOps will work with you to evaluate the vulnerability and guide your response.

Once confirmed, GSA SecOps can award the bounty. There is no need to wait until the issue is resolved to award.

When the fix has been released to production and confirmed, GSA SecOps can mark the report as Resolved and include a link to the commit or pull request containing the fix.

The researcher can optionally validate the fix is correct.

We encourage programs to disclose reports and redact any sensitive information when necessary.

Use #bug-bounty-partners for general Bug Bounty related questions for GSA SecOps and HackerOne.

Questions?