Sec. 102. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM
733 words·~3 min read·
/statute-compilations/comps-15413/sec-102A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
## SEC. 102 DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM **[**[6 U.S.C. 663 note](/us/usc/t6/s663)**]** ###
(a)Definitions In this section: ####
(1)The term “appropriate congressional committees” means— #####
(A)the Committee on Homeland Security and Governmental Affairs of the Senate; #####
(B)the Select Committee on Intelligence of the Senate; #####
(C)the Committee on Homeland Security of the House of Representatives; and #####
(D)Permanent Select Committee on Intelligence of the House of Representatives. ####
(2)The term “bug bounty program” means a program under which— #####
(A)individuals, organizations, and companies are temporarily authorized to identify and report vulnerabilities of appropriate information systems of the Department; and #####
(B)eligible individuals, organizations, and companies receive compensation in exchange for such reports. ####
(3)**[**[6 U.S.C. 651 note](/us/usc/t6/s651)**]** The term “Department” means the Department of Homeland Security. ####
(4)The term “eligible individual, organization, or company” means an individual, organization, or company that meets such criteria as the Secretary determines in order to receive compensation in compliance with Federal laws. ####
(5)The term “information system” has the meaning given the term in section 3502 of title 44, United States Code. ####
(6)The term “pilot program” means the bug bounty pilot program required to be established under subsection (b)(1). ####
(7)The term “Secretary” means the Secretary of Homeland Security. ###
(b)Bug Bounty Pilot Program ####
(1)Establishment Not later than 180 days after the date of enactment of this Act, the Secretary shall establish, within the Office of the Chief Information Officer, a bug bounty pilot program to minimize vulnerabilities of appropriate information systems of the Department. ####
(2)Responsibilities of secretary In establishing and conducting the pilot program, the Secretary shall— #####
(A)designate appropriate information systems to be included in the pilot program; #####
(B)provide compensation to eligible individuals, organizations, and companies for reports of previously unidentified security vulnerabilities within the information systems designated under subparagraph (A); #####
(C)establish criteria for individuals, organizations, and companies to be considered eligible for compensation under the pilot program in compliance with Federal laws; #####
(D)consult with the Attorney General on how to ensure that approved individuals, organizations, or companies that comply with the requirements of the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law, and civil lawsuits for specific activities authorized under the pilot program; #####
(E)consult with the Secretary of Defense and the heads of other departments and agencies that have implemented programs to provide compensation for reports of previously undisclosed vulnerabilities in information systems, regarding lessons that may be applied from such programs; and #####
(F)develop an expeditious process by which an individual, organization, or company can register with the Department, submit to a background check as determined by the Department, and receive a determination as to eligibility; and #####
(G)engage qualified interested persons, including non-government sector representatives, about the structure of the pilot program as constructive and to the extent practicable. ####
(3)Contract authority In establishing the pilot program, the Secretary, subject to the availability of appropriations, may award 1 or more competitive contracts to an entity, as necessary, to manage the pilot program. ###
(c)Report to Congress Not later than 180 days after the date on which the pilot program is completed, the Secretary shall submit to the appropriate congressional committees a report on the pilot program, which shall include— ####
(1)the number of individuals, organizations, or companies that participated in the pilot program, broken down by the number of individuals, organizations, or companies that— #####
(A)registered; #####
(B)were determined eligible; #####
(C)submitted security vulnerabilities; and #####
(D)received compensation; ####
(2)the number and severity of vulnerabilities reported as part of the pilot program; ####
(3)the number of previously unidentified security vulnerabilities remediated as a result of the pilot program; ####
(4)the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans; ####
(5)the average length of time between the reporting of security vulnerabilities and remediation of the vulnerabilities; ####
(6)the types of compensation provided under the pilot program; and ####
(7)the lessons learned from the pilot program. ###
(d)Authorization of Appropriations There is authorized to be appropriated to the Department $250,000 for fiscal year 2019 to carry out this section.
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources