Skip to content
A list of governments with Vulnerability Disclosure Policies
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.

Can you hack your government?

Vulnerability disclosure policies and bug bounty programs are becoming standard across industry and government. Beginning with the U.S. Department of Defense, several government agencies worldwide have implemented vulnerability disclosure programs.

This is a list of government agencies that have bug bounty programs or vulnerability disclosure policies. Please submit a pull request if any government agencies are missing from this list.

Note: This list is not an invitation to hack any of the listed organizations. Ensure that you comply with all listed terms of an organization's vulnerability disclosure policy.

Organization Type Rewards Link Notes
U.S. Department of Defense VDP None Safe Harbor
U.S. Department of Defense Bug Bounty Varies Private, time-limited challenges
GSA Technology Transformation Services Bug Bounty $150-$5,000 Safe Harbor
Centers for Medicare & Medicaid Services (CMS) VDP None Safe Harbor
State of Delaware VDP Partial Safe Harbor
Washington D.C. VDP None
Netherlands NCSC VDP Up to €300
Netherlands Central Government VDP
United Kingdom NCSC VDP None

Other government agencies offer avenues for disclosure without providing authorization or a safe harbor. As such, participate in these programs at your own risk and assume no legal protections. Some examples include the following.

Organization Link Notes
UK Government via NCSC
Government of India via NCIIPC
You can’t perform that action at this time.