After The Defense Department, The General Services Administration's 18F digital team is building a bug bounty program for use by other federal agencies. You can check the rules in this github repository.
TL;DR: Instagram contained two distinct vulnerabilities that allowed an attacker to brute-force passwords of user accounts. Combined with user enumeration, a weak password policy, no 2FA nor other mitigating security controls, this could have allowed an attacker to compromise many accounts without any user interaction.
"This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it. [...] this is about as bad as it can possibly get."