Bringing Private-sector Security into the U.S. Government [Security@ Recaps]

“Hacking the U.S. Government” was the first panel discussion at Security@ SF, and it proved to be as interesting as you would expect. Jeff John Roberts, a technology writer at Fortune, moderated a Q&A session with two groundbreaking government security leads: Michael Chung, Product and Technology Lead at Defense Digital Service, and Jacob Kaplan-Moss, Engineering Supervisor at 18F, which is the technology consulting arm of the General Services Administration.

Jeff John Roberts, Michael Chung, and Jacob Kaplan-Moss on stage at Security@

Both Michael and Jacob hail from the private sector, with Michael having worked at Apple and Jacob at Heroku, among other firms. And, both were directly recruited by Todd Park, former U.S. Chief Technology Officer during the Obama administration. While neither saw a government role in their future, the call to serve was too hefty to decline. “There’s a weird thing that happens when someone says, ‘Your country needs you’,” said Jacob. “He said it and it worked.”

Their departments were created to bring more of a private-sector approach to the government’s use of technology. Hack the Pentagon is a great example of what’s been accomplished, especially considering the before and after results. Michael explained that, in the 3 years prior to their bug bounty pilot program, the Department of Defense’s security team found 30 bugs across 5 websites. With Hack the Pentagon, they found 138 in 4 weeks.

“The financial model proved so successful, we have groups within the DoD coming to us and asking us how we can implement this,” said Michael. He went on to say that they’ve run 6 bug bounty programs in the past year and “want to get that up to 50 or 60 bounty programs in the next 12 months.”

But as you might expect, working within the government is strikingly different than working in the private sector. “The open secret is that (these programs are) a trojan horse for culture change,” said Jacob. “There’s a lot of appetite to see change and do things differently.”

Watch the full session to learn more about what draws top security technologists to serve their country and get insights into some of the exciting security programs being implemented across the government.

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.