Federal Program
US Federal

Your Best Ally for VDP and Beyond

The U.S. Department of Defense has resolved more than 25,000 valid vulnerabilities through the HackerOne Attack Resistance Platform.


If you're not seeing that kind of success at your agency, it's time to look at new options for your CISA BOD-mandated VDP and more.

Protecting the nation since 2016

For 7 years and counting, HackerOne has partnered with the Department of Defense, General Services Administration (GSA), all branches of the Armed Forces, and other federal agencies—delivering safe, trusted, and efficient security via the world's largest community of skills-verified and background-checked ethical hackers. 

FedRAMP Tailored LI-SaaS authorized vendor

FedRAMP is a U.S. federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services to ensure that the proper level of security is in place when government agencies seek to access them. We are FedRAMP Authorized  at the Tailored Low-Impact SaaS level. Our authorization package can be obtained by agencies from the FedRAMP PMO.

Federal contract vehicles and partners

Federal contract vehicles and partners

  • GS-35F-0511T
  • Hack DHS: CVAS
  • Secure Soft Technologies
  • Carahsoft
  • AWS Marketplace
Zero Trust Mandate
Zero Trust Mandate

We support your zero trust strategy

Learn how human security testing helps the U.S. government’s zero trust mandate.

Speak to a HackerOne Security Expert

Questions about VDP? Consult our security experts.

According to the CISA binding operational directive 20-01, federal agencies must implement a VDP. The directive has many federal agencies asking questions such as:

  • How do we set up a system for quickly triaging vulnerabilities that both satisfies compliance requirements and doesn’t overwhelm our team?
  • How do we manage inbound vulnerability reports and communicate with external researchers safely and efficiently?
  • How do we satisfy all CISA requirements before the deadline without compromising our holistic security posture?

Speak with a Security Expert

Our security experts are here to consult you on the best course of action for your agency.

Veteran Using Laptop

Serving those who serve our nation

  • Federal Civilian Agencies
  • Defense Agencies
  • Government Contractors
  • Aerospace Companies
Hack the Pentagon

Hack the Pentagon

For 7-plus years, HackerOne has partnered with the U.S. Department of Defense to defend their assets, starting with Hack the Pentagon‘s vulnerability disclosure program. Kris Johnson, Director of the VDP at the DoD, says “researchers are telling us what’s wrong with our systems. We have a ton of success stories.” That success has encouraged the DoD to proactively embrace crowdsourced security, saving $64 million and achieving nearly 800% ROI.

Hack US

Hack U.S.

In partnership with Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services (DDS), and DoD Cyber Crime Center (DC3), HackerOne launched the Hack U.S. bug bounty challenge, allowing ethical hackers from around the globe to earn monetary rewards for reporting of critical and high vulnerabilities from within the DoD VDP published scope. The bug bounty program attracted 267 hackers and surfaced 349 actionable vulnerabilities in just 7 days.

Professional hackers are a critical extension of our team. This bounty challenge shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner.

HackerOne security solutions for US federal government

The HackerOne Attack Resistance Platform helps your agency outsmart cybercriminals—continuously testing your attack surface from an offensive point of view to find the most critical vulnerabilities.

Always-On Vulnerability Disclosure
Establish the process for and receive reporting of unknown or harmful security vulnerabilities to the proper person or team in your organization.
Continuous Security Testing

Trusted hackers continuously test for vulnerabilities with defined scope of coverage, incentivized by bounty payments.

Discovery & Attack Surface Management

Gain full visibility over your attack surface. Discover, inventory, and risk-rank all of your digital assets to accelerate security actions.

Partner with HackerOne for Fed/SLED Security

HackerOne's mission is to build a safer internet—and thereby a safer government. If that's your goal, too, get in touch to discuss how we can join forces to enhance your security portfolio and eliminate complexity for your security customers. You'll be in good company:


Accreditation and compliance

  • FedRAMP Tailored LI-Saas Authorized
  • ISO 27001: Info Sec Mgmt. System Certified
  • SOC 2 Type II
More resources
Ilona Cohen
Chief Legal and Policy Officer
HackerOne - Blog Header Image