Security by the People: Announcing HackerOne’s FedRAMP Authorization

In the face of unprecedented cybersecurity threats, governments around the world are searching for creative ways to secure their most precious asset: their data. For years, federal and local governments seeking pathbreaking solutions have turned to HackerOne, drawing on our community of hackers to keep their citizens and their information safe. HackerOne has partnered with the government to secure attack surfaces, build legal infrastructure, and educate citizens and policymakers alike.

Today marks a new chapter in that story. HackerOne has become the first hacker-powered security vendor to receive FedRAMP Tailored Low Impact-Software as a Service (LI-SaaS) Authorization. Now any government agency can utilize the skill sets and experience of half a million ethical hackers.

This extraordinary milestone is the result of a longstanding relationship between HackerOne and the U.S. government. In 2016, the Department of Defense (DoD) handpicked HackerOne to run the government’s first hacker-powered security initiative, Hack the Pentagon. After this successful event, a myriad of hacker-powered security programs followed, including Hack the Army, Hack the Air Force, Hack the Air Force 2.0, Hack the Air Force 3.0, Hack the Defense Travel System, Hack the Marine Corps and much more.

For the DoD, Hack the Pentagon underscored the importance of opening their door to the security community on a continuous basis. Working closely with HackerOne, the department launched a vulnerability disclosure program (VDP), inviting ethical hackers and security researchers to submit vulnerability reports. As with their Hack the Pentagon initiative, the DoD selected HackerOne’s VDP because it represents the industry’s first, most comprehensive disclosure program. The program has since surfaced over 12,000 vulnerabilities in just four years.

A year after Hack the Pentagon, the GSA’s Technology Transformation Service (TTS) became the first federal civilian agency to integrate hacker-powered security into their defense infrastructure. TTS partnered with HackerOne to launch a bug bounty program.

In December 2019, HackerOne’s thought leadership and innovation culminated in a public policy breakthrough. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a first-of-its-kind draft directive requiring that all federal civilian agencies establish a vulnerability disclosure program, or VDP — the equivalent of a “see something, say something” policy for the digital world. The directive invites outside experts to identify and report security vulnerabilities before bad actors can exploit them. 

Over four hundred civilian agencies operate within the federal government. Each is responsible for securing a wealth of digital assets. If the country is a body, then this data is its lifeblood, delivering oxygen to everything from our power grid to our national defense systems. And yet these agencies are frequent targets of cyber attacks -- and it’s only going to get worse.

Fortunately, HackerOne’s FedRAMP Authorization has unlocked a bright future for local and federal government agencies. Any agency is now free to partner with HackerOne to secure their digital resources.

Our mission is to empower the world to build a safer internet, and we are proud to extend this mission across the federal government. HackerOne stands ready to deliver security by and for the people.