GSA looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

The Challenge will end on 04/21/23. When the Challenge finishes, all testing must cease.

The bounty pool reserved for this Challenge is $75,000. HackerOne will assist the customer with triage and bounty management. Based on the reports received, if it seems like the bounty pool is about to be exhausted, the program will be paused and submissions will be disabled. If this happens, HackerOne will send you a note ASAP so you know to cease testing. If this happens, HackerOne will reach out to the customer to see if they would like to add additional funds to the bounty pool and resume the Challenge, or if they would like to stop the Challenge at that point. In either case, HackerOne will let you know what is decided. We will try our best to disable submissions if the bounty pool is close to exhaustion, but on the off chance more reports come in than there is budget to pay for, reward amounts may be slightly diluted.

Program Rules

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Follow HackerOne's disclosure guidelines.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Amounts below are the minimum and maximum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.
• Use HTTP Header x-challenge: LG bug bounty challenge to identify yourself as a participant.

Rewards

Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of the GSA and HackerOne and reward amounts may be adjusted mid-Challenge. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); or an RCE on an asset that doesn’t house production data.

#Objectives Objectives for the challenge and goal for the researcher to achieve (i.e. - Compromise AWS Console for LG) Common

• Privilege escalation

Login.gov Infrastructure & Hosting

• AWS Environment and Services
• Data exfiltration
• Ability to gain access to the AWS Environment (CLI/Web)
• Bypassing access restrictions on login.gov resources provided for tenant agencies (e.g Event APIs)
  • RISC API: https://developers.login.gov/security-events/
  • Attempts API:
• Service Provider/IDP Testing
  • Test Login.gov OpenIDC implementation for exploits due to non standard or insecure implementation
  • Test Login.gov SAML implementation for exploits due to non standard or insecure implementation

Login.gov Identity Service

• Login.gov Identity Proofing Process
• Bypassing Identity verification
  • E.G. pictures of fake or altered documents
  • Restriction: See Behavior section
  • Bypassing enrollment codes sent out of band
    • Sent to other device
    • Returned to Browser
• Accessing real account
  • Bypassing authentication mechanisms
  • Staging Target User
• Lateral movement to other users accounts using personal account
• Account modification, E.G. transitioning an unproofed account to a proofed account without completing proofing.

Scope

Our scopes are listed in the assets section below. More information on each scope, including the types of issues we’re most interested in seeing, is available in each asset’s description.

Reminder: Researchers should use HTTP Header x-challenge: LG bug bounty challenge to identify themselves as participants.

Login.gov Project

• https://www.login.gov/

Login.gov IDP

• https://idp.int.identitysandbox.gov/
• https://idp.staging.login.gov/
• https://secure.login.gov/
• https://node1.pivcac.staging.login.gov/
• https://node1.pivcac.prod.login.gov/

Login.gov AttemptsAPI Note: This is a REST API for use by a specific partner agency and does support any authentication protocol or identity verification services. Access to this endpoint is restricted via a specific secret given only to the needed parties.

• POST https://idp.int.identitysandbox.gov/api/irs_attempts_api/security_events
• POST https://idp.staging.login.gov/api/irs_attempts_api/security_events

Login.gov OpenID Connect

• https://idp.int.identitysandbox.gov/.well-known/openid-configuration GitHub
• https://github.com/18F/identity-idp
• Attempts code
• ThreatMetrix

###Supporting Tools and Documentation: Login.gov Flows:

• https://developers.login.gov/oidc/
• https://developers.login.gov/saml/

Supporting sample Service Provider (SP) landing page: These endpoint will touch actual IDVA sources

• OIDC https://staging-identity-oidc-sinatra.app.cloud.gov/
• SAML https://staging-identity-saml-sinatra.app.cloud.gov/ These endpoint will NOT touch actual IDVA sources
• OIDC https://int-identity-oidc-sinatra.app.cloud.gov/
• SAML https://int-identity-saml-sinatra.app.cloud.gov/ This can be used to test our two flows (selectable as options under the Sign in button):
• authentication only
• identity-verified

Out of scope

###URI: Login.gov Identity Provider (IdP) is predominantly configured as Service Provider initiated Identity Provider flow. Therefore, the only place researchers will be able to test Service Provider flow is using the supplied sample Service Provider URI. Any partner agency URIs / Domains are out of scope barring a direct interaction with login.gov.

Examples include:

• USAjobs.gov
• Trusted Travelers
• Veterans Affairs
• Customs and Border Protection
• General Services Administration (sam.gov etc)
• Social Security Administration
• Small Business Administration
• Any *.gov or *.mil domains that are not under the login.gov second level domain
• And others.

###Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Our goal with this program is to fix issues with meaningful impact. Thus, we exclude certain types of issues because they have low (or no) security impact to us, and/or are known issues that we're comfortable with. These issues are unlikely to be eligible for an award, and will usually be considered invalid for the purposes of our program:

The following issues are considered out of scope:

• Violations of secure design principles that are not part of exploitable vulnerabilities.
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Logout CSRF
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Bulk traffic DoS attacks
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or brute-force issues on non-authentication endpoints
• HTTP OPTIONS/TRACE methods enabled.
• Missing best practices in Content Security Policy.
• HTTP/TLS configuration issues without demonstrable impact, such as:
• TLS configuration issues such as BEAST, BREACH, renegotiation attacks, insecure cipher suites, etc.
• Missing HTTP security headers
• Lack of Secure or HTTPOnly cookie flag.
• Missing best practices in SSL/TLS configuration.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction
• Reports about missing rate limiting where other mitigations exist (for example, brute force attacks against login pages already protected by MFA).
• Username enumeration on login or forgot password pages.
• Overly broad permissions on editing wikis (or other non-software non-production areas) associated with our source code repositories.
• Use of a known-vulnerable library without evidence of exploitability Presence (or absence) of application/browser autocomplete or save-password flags.
• Lack of "security speedbumps" when leaving sites/applications.
• Non-sensitive information disclosure (i.e., server versions, software stack, etc) on error message pages, 404 pages, and so forth.
• User Browser based attack (session token stealing from a users browser)
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

The following issues are considered informative and ineligible for bounty:

• Findings due to improper relying party configuration on partner domains

#Behavior:

• Use of another individual besides the researcher's government issued identification or provided testing account does not count as bypassing identity proofing and will not result in a bounty payout.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited

#Eligibility: ###Participation:

• Researchers from any geographic region not under sanction from the U.S. government can participate in this challenge and test the in-scope assets using unauthenticated methods.
• Researchers can only create accounts if they are U.S. Persons with government issued identification in good standing.
• Researchers must use their own identification for proofing. Note: the account can be deleted at any time.

###Bounty Rewards: If you submit a qualifying, validated vulnerability, you may be eligible to receive a bounty award subject to the terms below:

• While we welcome the submission of any vulnerability that impacts in-scope services, we may not be able to award a bounty for submissions where the root-cause vulnerability was introduced by an upstream library.
• You are not currently nor have been an employee or contractor of the U.S. General Services Administration (GSA) within 12 months prior to submission
• You are not a family or household member of an employee or contractor of the U.S. General Services Administration (GSA) as described above
• You must meet all HackerOne Bug Bounty eligibility requirements, such as not being subject to trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).
• If you are a federal employee, you are reminded that you may be required to seek approval from your supervisor and/or ethics office for any outside positions or compensation.
• If you are a current federal employee or the spouse or dependent child of a federal employee, you are reminded that Federal Employees are covered by the Standards of Ethical Conduct for Employees of the Executive Branch. 5 CFR Section 2635. Included in these restrictions is the prohibition against use of nonpublic information for personal gain.
• If you are an employee of a federal contractor or subcontractor, you are reminded that information you receive in your employment is for your use in your employment. You may be prohibited from disclosing that information by a Non-Disclosure Agreement.

Thank you for helping keep GSA and our users safe!

If you have any questions or concerns on this Challenge, please get in touch with [email protected]