Department of Defense awards $7 million crowdsourced security contracts to HackerOne and Synack

The U.S. Department of Defense (DoD) announced on October 20 that it awarded contracts for crowdsourced vulnerability discovery and disclosure programs to HackerOne and Synack. The contracts will enable DoD to create a vehicle for future crowdsourced challenges and reward the research community to identify and resolve security vulnerabilities within DoD digital assets. The two-pronged effort in partnership with Synack and HackerOne will harness the power of security researchers to scour the DoD’s applications, websites and networks for vulnerabilities.

After the success of the “Hack the Pentagon” pilot led by Defense Digital Services and managed by HackerOne, the DoD will launch a full-scale program to include more public facing properties as well as mission-critical assets through two distinct contracts. The first contract, awarded to HackerOne, will allow DoD and HackerOne to run bug bounty challenges similar to Hack the Pentagon to protect public facing assets and domains. The new contract, awarded to Synack, is modeled after a private, managed bounty incentive model utilizing only highly vetted researchers and is focused on the DoD’s sensitive IT assets.

The RFP was issued in August 2016. After completing a thorough and competitive process for each of the contracts, the DoD, moving with a pace more common to a Silicon Valley company, awarded these two contracts in September 2016. The combined contracts are valued at $7 million and are expected to cover up to 14 challenges and reward hundreds of security researchers.

“As adversaries become more sophisticated and the threat environment continues to evolve, maintaining the highest levels of security has never been more important,” said Mark Wright, Spokesman at Office of the Secretary of Defense. “By partnering with these leading crowdsourced security companies, we can take a much more innovative, diverse, scalable and effective approach to better protect and defend our digital assets.”

“No government or organization is so powerful that it does not need outside help identifying security issues. Working with the external hacker community will supplement the crucial cybersecurity work that DoD is doing internally,” said Marten Mickos, CEO HackerOne. “Securing our online society is paramount and this puts the U.S. federal government in the forefront.”

“This award really marks a turning point in harnessing innovation to secure the nation’s most critical assets. We now have one of the largest enterprises carrying some of the world’s most sensitive information embracing Crowd Security Intelligence™,” said Jay Kaplan, CEO of Synack. “As attacks become more sophisticated, the DoD is taking a much needed innovative approach to security by harnessing the world’s best security researchers. Over the last two years we have been able to deliver actionable results to our F500/G500 customers. Now it’s rewarding to be able to deliver those same benefits to the DoD.”