If there's not an obvious security contact at the agency, you can always report vulnerabilities to US-CERT, which has overall responsibility for connecting reporters to the right responders. https://www.us-cert.gov/
As with all vulnerability reporting, it's much more likely that someone will take action on your report if you can provide evidence or a reproducible proof of concept.
18F/TTS can sometimes direct reports to the right place, but it's really not their job to do so.
This links to the report form at https://www.kb.cert.org/vuls/govreport/
As with all vulnerability reporting, it's much more likely that someone will take action on your report if you can provide evidence or a reproducible proof of concept.
18F/TTS can sometimes direct reports to the right place, but it's really not their job to do so.