Skip to content
A list of governments with Vulnerability Disclosure Policies
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

Can you hack your government?

Vulnerability disclosure policies and bug bounty programs are becoming standard across industry and government. Beginning with the U.S. Department of Defense, several government agencies worldwide have implemented vulnerability disclosure programs.

This is a list of government agencies that have bug bounty programs or vulnerability disclosure policies. Please submit a pull request if any government agencies are missing from this list.

Note: This list is not an invitation to hack any of the listed organizations. Ensure that you comply with all listed terms of an organization's vulnerability disclosure policy.

Organization Type Rewards Link Notes
U.S. Department of Defense VDP None https://hackerone.com/deptofdefense Safe Harbor
U.S. Department of Defense Bug Bounty Varies Private, time-limited challenges
GSA Technology Transformation Services Bug Bounty $150-$5,000 https://hackerone.com/tts Safe Harbor
State of Delaware VDP https://delaware.gov/help/responsible-disclosure.shtml Safe Harbor
Netherlands NCSC VDP Up to €300 https://www.ncsc.nl/english/security
Netherlands Central Government VDP https://www.government.nl/topics/cybercrime/fighting-cybercrime-in-the-netherlands/responsible-disclosure

Other government agencies offer avenues for disclosure without providing authorization or a safe harbor. As such, participate in these programs at your own risk and assume no legal protections. Some examples include the following.

Organization Link Notes
DHS via U.S. CERT https://www.kb.cert.org/vuls/govreport/
UK Government via NCSC https://www.ncsc.gov.uk/information/vulnerability-reporting
Government of India via NCIIPC https://nciipc.gov.in/RVDP.html
You can’t perform that action at this time.