Tag Archives: Bug Bounties

GSA Awards $2 Million Bug Bounty Service Contract

GSA Bug Bounties

After a successful pilot collaboration, the agency’s Technology Transformation Service recently awarded a $2 million contract to HackerOne for the facilitation of its bug bounty programs over the next few years.”

“The Technology Transformation Service bug bounty program with HackerOne is yet another reminder of the leadership role that the U.S. federal government has taken in vulnerability disclosure,” HackerOne CEO Marten Mickos said in a statement. “Over the last year, GSA has proved to be one of the fastest government agencies in regards to resolution time, resolving vulnerabilities markedly faster than the global average for government bug bounty programs. GSA’s commitment to resolving vulnerabilities quickly benefits all U.S. citizens and is something that HackerOne is proud to be a part of.”

TTS and HackerOne began a partnership in August 2017, with an initial focus on the 18F-built Federalist website publishing service. GSA was the first civilian agency to use bug bounties as a way to let members of the general public find and disclose website vulnerabilities in return for cash prizes. GSA later added other domains, like common login platform login.gov, to the challenge. In total, GSA paid out $21,450 in bounties during the initiative’s pilot phase.

Now, GSA is looking to extend the collaboration.

The new contract has a base performance period of six months, with nine option periods of six months each for a total of five years.

GSA isn’t the only federal agency HackerOne works with — the security company partnered with the Department of Defense to launch the federal government’s first bug bounty, Hack the Pentagon, in 2016. Since then it has run a number of programs for DOD, including Hack the ArmyHack the Air ForceHack the DTSHack the Air Force 2, and Hack the Marine Corps.

CIOs at federal agencies are increasingly realizing that bug bounty programs can be a great way to access security expertise the agency may lack in-house. “It goes back to being proactive,” Department of Transportation CIO Vicki Hildebrand said recently. “I don’t want to wait for a bad actor to tell me I’ve got a vulnerability. We’ve got to get ahead of this curve.”


Pentagon Entrenches Bug Bounty Program




“Defense Department announced it will be entrenching the federal government’s first ever bug bounty program.

Awards contract to HackerOne and Synack to “create a new contract vehicle” for DoD components and service branches to launch their own bug bounty challenges aimed at incentivizing the discovery of vulnerabilities on networks.

Bug bounties are standard in private industry and many have expressed the need to adopt them in government. However, government, and to some degree, military culture, can stifle this, according to some. With no incentives to disclose discovered vulnerabilities, and in some cases, discovery leading to misinterpretation not as valuable or friendly information but threatening, this “promotes a ‘do-nothing’ culture,” two Army captains wrote in an article in the Cyber Defense Review.

Hack the Pentagon, as it was known, brought in members from the outside to find vulnerabilities on DoD computer systems for potential monetary compensation based upon the types and how many vulnerabilities they found.

The Hack the Pentagon initiative was led by the Defense Digital Service team, another technology initiative stood up by Secretary of Defense Ash Carter to bring in outside talent and replicate the tech culture of Silicon Valley firms to solve challenging problems for the department. Hack the Pentagon brought in over 1,400 registered and vetted hackers to find vulnerabilities on DoD unclassified systems, discovering 138 unique and previously undisclosed vulnerabilities in need of patching.

“This contract vehicle for a crowd-sourced security solution can also serve as a road map for other departments and agencies across the federal government to adopt and implement as well,” a release from DoD said.

Secretary Carter has worked hard to bring outside talent from the bastions of technology and innovation around the nation.

DDS, stood up last November, “brings coders in for what we call a tour of duty,” Carter has described. “They come in, you know they’re not going to make a career of it, they’re not going to join, they’re not going to be part of the government, but they come in for a year or a two, or a project, and make a contribution to us.”

Chris Lynch, who heads DDS, said the program was spun out of U.S. Digital Service, the White House team that was brought in from the private sector to bring in best practices and fix some of the biggest technology problems facing government.

“I like to say that we’re a very mission-focused organization,” he said of DDS in June at the Defense One Technology Summit. “We function a little bit more like a SWAT team … we go into things where there’s a challenge and work to help out in whatever way we can. So we’ve got some special super powers just because of how we’re positioned within the Department of Defense and we try to use our knowledge about how to build products and ship products to turn around challenge or very strategic projects that are going on.”

Carter has also pushed the Defense Innovation Unit-Experimental office, which originated with one office in Silicon Valley in 2015 to serve as a DoD outpost for outreach from the Pentagon to tech firms. Since it was first announced, there are now two additional offices in Boston and Austin with 12 contracts awarded totaling $36.3 million in the last fiscal year.

DoD said DDS will work with various components within the department and external government agencies in a consultative role as to advise the execution of future bug bounty programs.”