Illustration: Sam Jayne/Axios

Congress has struggled so far to write bug bounty legislation — which incentivizes independent testing of federal security — that the small handful of thought leaders in the field can embrace. But the new State Department bounty bill might pass muster, according to Casey Ellis, founder and chief technology officer of the bug bounty firm Bug Crowd.

Why it matters: While the programs are increasingly considered part of a well-balanced security diet, they are easier to get wrong than right.

The Hack Your State Department Act, which just passed the House Foreign Affairs Committee, requires State to offer a bug bounty — a reward program that pays independent researchers who report security flaws in public facing infrastructure.

Bug bounties take work: The most successful federal bug bounty programs have been those run by the Department of Defense, which made it look easy. Too easy.

  • Before a bug bounty program takes flight, a lot of things need to happen: Agencies need to restructure staff to be able to patch the influx of new bugs, create legal waivers to prevent good guys from being arrested for bad-guy hacking, and address all outstanding bugs to make room for the new ones coming.
  • "The problem with past bills is they saw Hack the Pentagon, that didn't take much time after being announced to launch, and told agencies to establish programs within 90 days," said Ellis.
  • But while the public didn't find out about Hack the Pentagon until late in the process, the Pentagon devoted two years to it before going public.
  • Hack Your State Department, introduced by Reps. Teds Lieu and Yoho (D-Calif. and R-Fla.) would give State a full year to set up the program, including a preparatory period where the department would accept and patch bugs but offer no reward.

Go deeper

Dave Lawler, author of World
9 mins ago - World

Global coronavirus vaccine initiative launches without U.S. or China

Data: Gavi, The Vaccine Alliance; Map: Naema Ahmed/Axios

A global initiative to ensure equitable distribution of coronavirus vaccines now includes most of the world — but not the U.S., China or Russia.

Why it matters: Assuming one or more vaccines ultimately gain approval, there will be a period of months or even years in which supply lags far behind global demand. The COVAX initiative is an attempt to ensure doses go where they're most needed, rather than simply to countries that can produce or buy them at scale.

Updated 34 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 6:15 p.m. EST: 32,062,182 — Total deaths: 979,701 — Total recoveries: 22,057,268Map.
  2. U.S.: Total confirmed cases as of 6:15 p.m EST: 6,967,103 — Total deaths: 202,558 — Total recoveries: 2,670,256 — Total tests: 97,459,742Map.
  3. Health: Cases are surging again in 22 states — New York will conduct its own review of coronavirus vaccine.
  4. Business: America is closing out its strongest quarter of economic growth.
  5. Technology: 2020 tech solutions may be sapping our resolve to beat the pandemic.
  6. Sports: Here's what college basketball will look like this season.
  7. Science: During COVID-19 shutdown, a common sparrow changed its song.
2 hours ago - Podcasts

The child care tax on America's economy

Child care in the U.S. is in crisis, which makes it much harder for the American economy to recover — as providers struggle to stay in business and parents wrestle with work.

Axios Re:Cap digs into the problems and what can be done to solve them, with Vox senior reporter Anna North.

Get Axios AM in your inbox

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Subscription failed
Thank you for subscribing!