Can you hack your government?
Vulnerability disclosure policies and bug bounty programs are becoming standard across industry and government. Beginning with the U.S. Department of Defense, several government agencies worldwide have implemented vulnerability disclosure programs.
This is a list of government agencies that have bug bounty programs or vulnerability disclosure policies. Please submit a pull request if any government agencies are missing from this list.
Note: This list is not an invitation to hack any of the listed organizations. Ensure that you comply with all listed terms of an organization's vulnerability disclosure policy.
|U.S. Department of Defense||VDP||None||https://hackerone.com/deptofdefense||Safe Harbor|
|U.S. Department of Defense||Bug Bounty||Varies||Private, time-limited challenges|
|GSA Technology Transformation Services||Bug Bounty||$150-$5,000||https://hackerone.com/tts||Safe Harbor|
|State of Delaware||VDP||https://delaware.gov/help/responsible-disclosure.shtml||Safe Harbor|
|Netherlands NCSC||VDP||Up to €300||https://www.ncsc.nl/english/security|
|Netherlands Central Government||VDP||https://www.government.nl/topics/cybercrime/fighting-cybercrime-in-the-netherlands/responsible-disclosure|
Other government agencies offer avenues for disclosure without providing authorization or a safe harbor. As such, participate in these programs at your own risk and assume no legal protections. Some examples include the following.
|DHS via U.S. CERT||https://www.kb.cert.org/vuls/govreport/|
|UK Government via NCSC||https://www.ncsc.gov.uk/information/vulnerability-reporting|
|Government of India via NCIIPC||https://nciipc.gov.in/RVDP.html|