Bug bounty companies have a solid track record with federal agencies, but the relationship is an unusual one, as far as IT services go: The platforms give freelance hackers access to specific parts of an agency’s technology, and those individuals earn money for identifying vulnerabilities. The companies don’t touch much of an agency’s tech directly.
That’s why a recent announcement by HackerOne stuck out among the usual flow of press releases from companies touting new authorizations under the Federal Risk and Authorization Management Program. The San Francisco firm said May 18 that it had received FedRAMP’s Tailored Low-Impact Software-as-a-Service (LI-SaaS) authorization, making it the first bug bounty company to get one.
LI-SaaS is for low-risk, low-cost services, but here’s why it matters: HackerOne says the designation uniquely positions it to capitalize on a forthcoming requirement that all federal agencies adopt vulnerability disclosure policies (VDPs). The Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 20-01, released Nov. 27, remains in draft form. But the directive will require all agencies to have VDPs permitting outside security research into unknown system vulnerabilities.
In essence, the government is looking for ways to ensure that hackers can do the right thing whenever they find something wrong. Unlike bug bounties, VDPs offer a reactive, “see something, say something” approach without a reward, Reed Loden, security director at HackerOne, told FedScoop.
“Definitely this will be a big boon in the bug bounty and vulnerability disclosure space,” Loden said.
The authorization covers all of the HackerOne platform’s cloud offerings: bug bounty programs, vulnerability disclosure programs and penetration (“pen”) testing. Under FedRAMP, which approves and continuously monitors cloud services governmentwide, HackerOne bolstered its software testing life cycle across all three. The authorization verifies the company’s ability to spin up programs quickly and securely in the cloud, tailored to agencies’ data restrictions.
The development comes as bug bounty firms face pressure to grow their businesses amid industry concerns that crowdsourced programs catch less-important bugs but miss the more critical vulnerabilities. So, they’ve altered their business models to include pen testing. Those scans for vulnerabilities are more precise and time-sensitive, and they can be honed based on bug bounty program feedback. But that market is also more mature. While the FedRAMP authorization is “potentially” beneficial for HackerOne’s pen testing business, there are also more established competitors in the space who were already authorized, Loden noted.
The push from GSA and CISA
The General Services Administration is seeking industry input on a software-as-a-service platform supporting vulnerability disclosure, according to a request for information issued on behalf of CISA on May 12. CISA’s desired platform would standardize submission, tracking and routing of vulnerability reports submitted to agencies by any independent security researcher trying to help without the promise of a bounty.
HackerOne Response does just that.
“Now that we’ve gotten this [FedRAMP] authorization, it makes it way easier for other federal agencies to pick us up and start using us,” Loden said.
HackerOne works with GSA — which sponsored its FedRAMP authorization — and numerous Department of Defense services and agencies like the Navy, Army, Air Force, Marines, Cyber Crime Center, and Defense Digital Service. DOD runs an ongoing vulnerability disclosure program with HackerOne across its public-facing systems that’s yielded more than 12,000 valid reports, Loden said.
The firm’s quest for FedRAMP authorization began when its one-year bug bounty pilot with GSA’s Technology Transformation Services came up for rebid in 2018. GSA’s FedRAMP team instituted a policy that new cloud service providers must be authorized.
TTS awarded a multi-year bug bounty contract to HackerOne, a program that continues. And now that the firm is FedRAMP authorized, any agency may request its system security plan (SSP) and issue an authority to operate (ATO).
Until its competitors become FedRAMP-authorized, HackerOne would seem to have the GSA market cornered. GSA would not comment directly on the nature of the bug bounty industry overall.
“GSA continues to look at all technology in support of IT modernization and improving services to the American people,” said an agency spokesperson.
Rival bug bounty platforms Bugcrowd and Synack aren’t FedRAMP authorized yet, despite offering the same services as HackerOne. Bugcrowd boasts government clients like DOD, the Air Force and DDS, while Synack has provided crowdsourced security testing to 18 federal agencies over the last five years, including GSA, the Department of Health and Human Services, Centers for Disease Control and Prevention, IRS, Department of Transportation, Air Force, Army, the Defense Information Systems Agency and DDS.
Both companies said they will continue to offer existing services while looking to expand their federal work.
FedRAMP authorization is on Bugcrowd’s roadmap, according to a company spokesperson.
Synack’s chief technology officer, Mark Kuhr, pointed out the government does not yet require FedRAMP authorization for vulnerability disclosure programs, so the company could still compete with HackerOne for the CISA vulnerability disclosure platform contract.
“We take government security standards seriously. We’ll abide by any compliance standards our government customers feel are required to satisfy their mission assurance goals,” Kuhr said. “Similar to any other requirements, if FedRAMP becomes required for VDP we would be happy to comply.”
In the meantime, HackerOne hasn’t hesitated to imply that it might have a leg up on the competition.
“This authorization underscores the momentum that HackerOne has achieved in the federal government and demonstrates our ability to help make our public sector customers’ digital transformations into security transformations,” said Lynn Chia, director of federal, in a May 18 announcement.