How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
This Act may be cited as the ''Artificial Intelligence Bug Bounty Act of 2023''.
Section 1 establishes the short title of the bill as the Artificial Intelligence Bug Bounty Act of 2023. No operative obligations are imposed.
(a)(1) 1 Not later than 180 days after the date of the enactment of this Act, the Chief Data and Artificial Intelligence Officer of the Department of Defense shall develop a bug bounty program for foundational artificial intelligence products being incorporated by the Department of Defense.
(a)(2) In developing the program required by paragraph (1), the Chief may collaborate with the heads of other government agencies that have expertise in cybersecurity and artificial intelligence.
(a)(3) The Chief may carry out the program developed pursuant to subsection (a).
(a)(4) 2 The Secretary of Defense shall ensure that whenever the Department of Defense enters into any contract, the contract allows for participation in the bug bounty program developed pursuant to paragraph (1).
(a)(5) Nothing in this subsection shall be construed to require— (A) the use of any foundational artificial intelligence product; or (B) the implementation of the program developed pursuant to paragraph (1) in order for the Department to incorporate a foundational artificial intelligence product.
Section 2(a) imposes the bill's core operative requirements. The CDAO must develop a bug bounty program for foundational AI products being incorporated by DoD within 180 days. The CDAO may collaborate with other government agencies and may implement the program. The Secretary of Defense must ensure all DoD contracts allow participation in the bug bounty program. A rule of construction clarifies that nothing in this subsection requires the use of foundational AI products or requires implementation of the program as a precondition for incorporating such products.
(b) 3 Not later than one year after the date of the enactment of this Act, the Chief shall provide the congressional defense committees (as defined in section 101(a) of title 10, United States Code) a briefing on— (1) the development and implementation of bug bounty programs the Chief considers relevant to the matters covered by this section; and (2) long-term plans of the Chief with respect to such bug bounty programs.
Section 2(b) requires the CDAO to brief the congressional defense committees within one year of enactment on the development and implementation of relevant bug bounty programs and the CDAO's long-term plans for such programs. This is a reporting obligation directed at Congress rather than a regulatory requirement.