Union Calendar No. 752
115th CONGRESS 2d Session |
[Report No. 115–964]
To establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes.
April 18, 2018
Referred to the Committee on Homeland Security
September 25, 2018
Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed in italic]
[For text of introduced bill, see copy of bill as introduced on April 18, 2018]
To establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
This Act may be cited as the “Hack the Department of Homeland Security Act of 2018” or the “Hack DHS Act”.
SEC. 2. Department of Homeland Security bug bounty pilot program.
(a) Definitions.—In this section:
(1) BUG BOUNTY PROGRAM.—The term “bug bounty program” means a program under which—
(3) ELIGIBLE INDIVIDUAL, ORGANIZATION, OR COMPANY.—The term “eligible individual, organization, or company” means an individual, organization, or company that meets such criteria as the Secretary determines in order to receive compensation in compliance with Federal laws.
(4) INFORMATION SYSTEM.—The term “information system” has the meaning given that term by section 3502 of title 44, United States Code.
(b) Establishment of pilot program.—
(1) IN GENERAL.—Not later than 180 days after the date of enactment of this Act, the Secretary shall establish, within the Office of the Chief Information Officer, a bug bounty pilot program to minimize vulnerabilities of appropriate information systems of the Department.
(2) REQUIREMENTS.—In establishing and conducting the pilot program, the Secretary shall—
(B) provide compensation to eligible individuals, organizations, and companies for reports of previously unidentified security vulnerabilities within the information systems designated under subparagraph (A);
(C) establish criteria for individuals, organizations, and companies to be considered eligible for compensation under the pilot program in compliance with Federal laws;
(D) consult with the Attorney General on how to ensure that approved individuals, organizations, or companies that comply with the requirements of the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law, and civil lawsuits for specific activities authorized under the pilot program;
(E) consult with the Secretary of Defense and the heads of other departments and agencies that have implemented programs to provide compensation for reports of previously undisclosed vulnerabilities in information systems, regarding lessons that may be applied from such programs; and
(c) Report.—Not later than 180 days after the date on which the pilot program is completed, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the pilot program, which shall include—
(1) the number of individuals, organizations, or companies that participated in the pilot program, broken down by the number of individuals, organizations, or companies that—
(3) the number of previously unidentified security vulnerabilities remediated as a result of the pilot program;
(4) the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans;
Union Calendar No. 752 | |||||
| |||||
[Report No. 115–964] | |||||
An Act | |||||
To establish a bug bounty pilot program within the Department of Homeland Security, and for other
purposes. | |||||
September 25, 2018 | |||||
Reported with an amendment, committed to the Committee of the Whole House on the State of the
Union, and ordered to be printed |