After a successful pilot collaboration, the agency’s Technology Transformation Service recently awarded a $2 million contract to HackerOne for the facilitation of its bug bounty programs over the next few years.”
“The Technology Transformation Service bug bounty program with HackerOne is yet another reminder of the leadership role that the U.S. federal government has taken in vulnerability disclosure,” HackerOne CEO Marten Mickos said in a statement. “Over the last year, GSA has proved to be one of the fastest government agencies in regards to resolution time, resolving vulnerabilities markedly faster than the global average for government bug bounty programs. GSA’s commitment to resolving vulnerabilities quickly benefits all U.S. citizens and is something that HackerOne is proud to be a part of.”
TTS and HackerOne began a partnership in August 2017, with an initial focus on the 18F-built Federalist website publishing service. GSA was the first civilian agency to use bug bounties as a way to let members of the general public find and disclose website vulnerabilities in return for cash prizes. GSA later added other domains, like common login platform login.gov, to the challenge. In total, GSA paid out $21,450 in bounties during the initiative’s pilot phase.
Now, GSA is looking to extend the collaboration.
The new contract has a base performance period of six months, with nine option periods of six months each for a total of five years.
GSA isn’t the only federal agency HackerOne works with — the security company partnered with the Department of Defense to launch the federal government’s first bug bounty, Hack the Pentagon, in 2016. Since then it has run a number of programs for DOD, including Hack the Army, Hack the Air Force, Hack the DTS, Hack the Air Force 2, and Hack the Marine Corps.
CIOs at federal agencies are increasingly realizing that bug bounty programs can be a great way to access security expertise the agency may lack in-house. “It goes back to being proactive,” Department of Transportation CIO Vicki Hildebrand said recently. “I don’t want to wait for a bad actor to tell me I’ve got a vulnerability. We’ve got to get ahead of this curve.”