Stephanie Sum

The First Civilian Agency to Run a Public Bug Bounty Program Will Continue Working with Hackers Following Success; the Latest Endorsement for Hacker-Powered Security

SAN FRANCISCO-- September 21, 2018 --HackerOne, the leading hacker-powered security platform, today announced the General Service Administration’s (GSA) Technology Transformation Service (TTS) awarded HackerOne a multi-year contract to run a bug bounty program. GSA was the first federal civilian agency to engage in a bug bounty program and continues their ongoing momentum with this latest bug bounty contract.

This news comes after 18F’s successful execution of a 2017 bug bounty and vulnerability disclosure program (VDP) with HackerOne. Through the program, 18F awarded bounties to ethical hackers for reporting security vulnerabilities found in public-facing digital systems. The VDP also provided an official channel for ethical hackers to safely disclose vulnerabilities in a wider rage of TTS assets, including login.gov, data.gov, cloud.gov and vote.gov. After competing in an open market bidding process, TTS awarded the contract to HackerOne in September 2018. The period of performance will extend for up to 5 years. Once the new program begins, TTS will offer hackers financial awards for safely reporting security issues directly to the system owner.

"The Technology Transformation Service bug bounty program with HackerOne is yet another reminder of the leadership role that the U.S. federal government has taken in vulnerability disclosure,” said Marten Mickos, CEO, HackerOne. “Over the last year, GSA has proved to be one of the fastest government agencies in regards to resolution time, resolving vulnerabilities markedly faster than the global average for government bug bounty programs. GSA's commitment to resolving vulnerabilities quickly benefits all U.S. citizens and is something that HackerOne is proud to be a part of."

At a time when nearly every organization faces challenges related to scaling cybersecurity resources and workforce, hacker-powered security programs have become a best practice across the private and public sector. In June 2018, Gartner reported that “Crowdsourced security testing is rapidly approaching critical mass, and ongoing adoption and uptake by buyers is expected to be rapid.” The government sector continues to lead the way with adoption globally, with 125 percent increase in programs year over year, including the European Commission and the Ministry of Defense Singapore, joining GSA’s TTS, and the DoD on HackerOne.

HackerOne and the U.S. Department of Defense’s Defense Digital Service (DDS) pioneered the first ever federal bug bounty program in 2016, Hack the Pentagon. The DoD and HackerOne have successful executed six bug bounty challenges as part of a multi-year contract: Hack the PentagonHack the ArmyHack the Air ForceHack the DTSHack the Air Force 2, and Hack the Marine Corps (results coming soon). The DoD also partners with HackerOne for its ongoing VDP. Since the launch of Hack the Pentagon, more than 5,000 valid vulnerabilities have been reported in government systems.

Proposed legislations like Hack the Department of Homeland Security Act, the Department of Justice Vulnerability Disclosure Framework and statements by Singapore’s Deputy Prime Minister Teo Chee Hean, further demonstrate public sector support for hacker-powered security.