As ordered reported by the House Committee on Homeland Security on July 17, 2019
H.R. 3710 would authorize the Department of Homeland Security (DHS) to disseminate information to the public about vulnerabilities in the software and hardware of information systems. The bill also would authorize DHS to establish an award program to encourage independent researchers to identify and report vulnerabilities and solutions for those vulnerabilities to the department.
DHS is already performing many of the cybersecurity activities that would be authorized by H.R. 3710. The department manages several programs that provide services and information to help system administrators, software manufacturers, and the general public identify cyber vulnerabilities. For example, the DHS Common Vulnerabilities and Exposures program helps software vendors identify risks and communicate to their customers how vulnerabilities affect their products and services.
To estimate the cost of providing incentive payments to independent researchers, CBO used information about similar programs of other federal agencies. For example, the General Services Administration (GSA) offers payments to individual researchers through its Bug Bounty program for each vulnerability identified. Those payments range from $150 to $5,000 based on how critical the potential target is to GSA’s operations. On the basis of budget data from those related programs, CBO estimates that making incentive payments to independent researchers for identifying vulnerabilities would cost $11 million each year. CBO expects that DHS would be ready to implement the program beginning in 2021. Thus, CBO estimates that enacting H.R. 3710 would cost $44 million over the 2019-2024 period. Such spending would be subject to availability of appropriated funds.
Areas of uncertainty in that estimate include expectations about the criteria DHS would use in awarding payments to independent researchers. H.R. 3710 would give DHS broad latitude in establishing the criteria under which it would provide cash payments. CBO assumes that the department would limit payments to actions that protect government systems. The budgetary effects of the bill would be significantly larger than this estimate if DHS also provides payments for actions that protect nonfederal systems.