October 20, 2016 | Press Release

DoD Awards $7 Million Crowdsourced Security Contracts to HackerOne and Synack

Launch of Crowdsourced Security Initiative is Latest Validation for Organizations Using Crowdsourced Security Experts to Test for Security Vulnerabilities

SAN FRANCISCO, Calif.–(BUSINESS WIRE)–The U.S. Department of Defense (DoD) announced today it awarded contracts for crowdsourced vulnerability discovery and disclosure programs to HackerOne and Synack. The contracts will enable DoD to create a vehicle for future crowdsourced challenges and reward the research community to identify and resolve security vulnerabilities within DoD digital assets. The two-pronged effort in partnership with Synack and HackerOne will harness the power of security researchers to scour the DoD’s applications, websites and networks for vulnerabilities.

“Securing our online society is paramount and this puts the U.S. federal government in the forefront.”

Tweet this

After the success of the “Hack the Pentagon” pilot led by Defense Digital Services and managed by HackerOne, the DoD will launch a full scale program to include more public facing properties as well as mission-critical assets through two distinct contracts. The first contract, awarded to HackerOne, will allow DoD and HackerOne to run bug bounty challenges similar to Hack the Pentagon to protect public facing assets and domains. The new contract, awarded to Synack, is modeled after a private, managed bounty incentive model utilizing only highly vetted researchers and is focused on the DoD’s sensitive IT assets.

The RFP was issued in August 2016. After completing a thorough and competitive process for each of the contracts, the DoD, moving with a pace more common to a Silicon Valley company, awarded these two contracts in September 2016. The combined contracts are valued at $7 million and are expected to cover up to 14 challenges and reward hundreds of security researchers.

“As adversaries become more sophisticated and the threat environment continues to evolve, maintaining the highest levels of security has never been more important,” said Mark Wright, Spokesman at Office of the Secretary of Defense. “By partnering with these leading crowdsourced security companies, we can take a much more innovative, diverse, scalable and effective approach to better protect and defend our digital assets.”

“No government or organization is so powerful that it does not need outside help identifying security issues. Working with the external hacker community will supplement the crucial cybersecurity work that DoD is doing internally,” said Marten Mickos, CEO HackerOne. “Securing our online society is paramount and this puts the U.S. federal government in the forefront.”

“This award really marks a turning point in harnessing innovation to secure the nation’s most critical assets. We now have one of the largest enterprises carrying some of the world’s most sensitive information embracing Crowd Security Intelligence™,” said Jay Kaplan, CEO of Synack. “As attacks become more sophisticated, the DoD is taking a much needed innovative approach to security by harnessing the world’s best security researchers. Over the last two years we have been able to deliver actionable results to our F500/G500 customers. Now it’s rewarding to be able to deliver those same benefits to the DoD.”

HackerOne and Synack are the leaders in the crowdsourced security industry and will help the DoD to quickly and efficiently launch challenges to help secure DoD assets and increase adoption of the crowdsourced approach to security. Secretary of Defense, Ash Carter‘s assessment of the initial Hack the Pentagon pilot was that they got higher efficacy and superior results when compared to a more traditional testing approach.

About HackerOne

HackerOne is the world’s most popular bug bounty platform, connecting organizations with the world’s largest community of highly-qualified hackers. More than 600 organizations, including The U.S. Department of Defense, General Motors, Uber, Twitter, GitHub, Kaspersky Lab, Square, Dropbox and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne customers have resolved more than 31,000 vulnerabilities and awarded hackers more than $10,000,000 in bug bounties. HackerOne is headquartered in San Francisco. For more information, please visit https://hackerone.com.

About Synack

Based in Redwood City, California, Synack is a security company revolutionizing how enterprises view cybersecurity: through a hacker’s eyes. Synack’s private, managed crowdsourced security solution arms clients with hundreds of the world’s most skilled, highly vetted ethical hackers who provide a truly adversarial perspective of clients’ IT environments. Synack’s confidential client base is comprised of some of the largest F500/G500 enterprise organizations across banking and financial services, healthcare, consumer goods and retail, manufacturing, technology and the U.S. Federal Government. All engagements are conducted by Synack’s vetted skilled professionals and are treated with absolute privacy. Synack was founded in 2013 by former NSA security experts Jay Kaplan, CEO, and Dr. Mark Kuhr, CTO. For more information, please visit https://www.synack.com/Government/.


Lauren Koszarek
[email protected]
Matt Bryant
[email protected]

About Synack

Based in Redwood City, CA, Synack redefines the traditional model of security testing with technology that allows customers to safely engage a global, on ­demand community of trusted security researchers. Synack’s platform is massively scalable and enables rapid and efficient vulnerability discovery. Synack was founded in 2013 by security experts Jay Kaplan, CEO, and Dr. Mark Kuhr, CTO.

Media Contact

Mike Farrell