Sign up for our daily briefing
Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.
Catch up on the day's biggest business stories
Subscribe to Axios Closer for insights into the day’s business news and trends and why they matter
Sign up for Axios Pro Rata
Dive into the world of dealmakers across VC, PE and M&A with Axios Pro Rata. Delivered daily to your inbox by Dan Primack and Kia Kokalitcheva.
Sports news worthy of your time
Binge on the stats and stories that drive the sports world with Axios Sports. Sign up for free.
Tech news worthy of your time
Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.
Get the inside stories
Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Want a daily digest of the top Denver news?
Get a daily digest of the most important stories affecting your hometown with Axios Denver
Want a daily digest of the top Des Moines news?
Get a daily digest of the most important stories affecting your hometown with Axios Des Moines
Want a daily digest of the top Twin Cities news?
Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities
Want a daily digest of the top Tampa Bay news?
Get a daily digest of the most important stories affecting your hometown with Axios Tampa Bay
Want a daily digest of the top Charlotte news?
Get a daily digest of the most important stories affecting your hometown with Axios Charlotte
Want a daily digest of the top Nashville news?
Get a daily digest of the most important stories affecting your hometown with the Axios Nashville newsletter.
Want a daily digest of the top Columbus news?
Get a daily digest of the most important stories affecting your hometown with the Axios Columbus newsletter.
Want a daily digest of the top Dallas news?
Get a daily digest of the most important stories affecting your hometown with the Axios Dallas newsletter.
Want a daily digest of the top Austin news?
Get a daily digest of the most important stories affecting your hometown with the Axios Austin newsletter.
Want a daily digest of the top Atlanta news?
Get a daily digest of the most important stories affecting your hometown with the Axios Atlanta newsletter.
Want a daily digest of the top Philadelphia news?
Get a daily digest of the most important stories affecting your hometown with the Axios Philadelphia newsletter.
Want a daily digest of the top Chicago news?
Get a daily digest of the most important stories affecting your hometown with the Axios Chicago newsletter.
Sign up for Axios NW Arkansas
Stay up-to-date on the most important and interesting stories affecting NW Arkansas, authored by local reporters
Want a daily digest of the top DC news?
Get a daily digest of the most important stories affecting your hometown with the Axios DC newsletter.
Illustration: Sam Jayne/Axios
Congress has struggled so far to write bug bounty legislation — which incentivizes independent testing of federal security — that the small handful of thought leaders in the field can embrace. But the new State Department bounty bill might pass muster, according to Casey Ellis, founder and chief technology officer of the bug bounty firm Bug Crowd.
Why it matters: While the programs are increasingly considered part of a well-balanced security diet, they are easier to get wrong than right.
The Hack Your State Department Act, which just passed the House Foreign Affairs Committee, requires State to offer a bug bounty — a reward program that pays independent researchers who report security flaws in public facing infrastructure.
Bug bounties take work: The most successful federal bug bounty programs have been those run by the Department of Defense, which made it look easy. Too easy.
- Before a bug bounty program takes flight, a lot of things need to happen: Agencies need to restructure staff to be able to patch the influx of new bugs, create legal waivers to prevent good guys from being arrested for bad-guy hacking, and address all outstanding bugs to make room for the new ones coming.
- "The problem with past bills is they saw Hack the Pentagon, that didn't take much time after being announced to launch, and told agencies to establish programs within 90 days," said Ellis.
- But while the public didn't find out about Hack the Pentagon until late in the process, the Pentagon devoted two years to it before going public.
- Hack Your State Department, introduced by Reps. Teds Lieu and Yoho (D-Calif. and R-Fla.) would give State a full year to set up the program, including a preparatory period where the department would accept and patch bugs but offer no reward.