US Federal

Strengthen National Security, One Vulnerability at a Time

HackerOne's FedRAMP-authorized platform combines elite security researcher expertise with AI-powered solutions for unmatched vulnerability elimination across your agency's systems.

Speak with our experts

Why Federal agencies choose HackerOne

Contractors had tested our websites previously and found 10 low-risk vulnerabilities. But bug bounty hunters found the first vulnerability within five minutes and ultimately found 165 problems, some high risk. That result is a huge return on investment.

Hunter Price

Director of Air Force Digital Service

We know for a fact that sending a wide variety of hackers into a wide environment will result in something meaningful. It is a fact.

Chris Lynch

Director of Defense Digital Service, DoD

It’s hard to find and retain security professionals. With our program, we know we are getting fresh eyes to look at these problems in a vast sea of assets. We have over 6,000 individuals contribute to our program, submit over 53,000 reports, and 56% of those are actionable year over year.

Melissa Vice

VDP Director, DOD Cyber Crime Center (DC3)

HackerOne Partners

Federal contract vehicles & partners

HackerOne solutions are available through multiple federal contract vehicles and partners, making procurement straightforward for government agencies.

GS-35F-0511T
NASA SEWP VDoD FA2 CVDD ( IDIQ)
Carahsoft
AWS Marketplace
Hack DHS: CVAS
Secure Soft Technologies

Zero Trust Mandate

We support your zero trust strategy

Learn how human security testing helps the U.S. government’s zero trust mandate.

Read blog post

Crowdsourced Security

Vetted security researchers for federal government programs

For sensitive testing requirements, our Clear program provides government agencies with access to ID-verified, background-checked, citizenship-filtered, location-specific, and security-cleared researchers.

Learn more about HackerOne Clear

Compliance & certifications

HackerOne helps streamline compliance documentation to support your security requirements.

FedRAMP Tailored LI-SaaS authorization: We are FedRAMP Authorized at the Tailored Low-Impact SaaS level. Our authorization package can be obtained by agencies from the FedRAMP PMO.
CISA BOD 20-01 alignment: Streamline your VDP with a dedicated triage team and built-in attestation reports.
FISMA compliance: Aligned with Federal Information Security Modernization Act requirements.
NIST framework adherence: Mapped to NIST 800-53 and NIST 800-171.
Executive Order 14028: Supporting the cybersecurity requirements outlined in the 2021 executive order.

Learn more

Federal security ROI: Measured in minutes & millions

Hack the Pentagon

13

Minutes to first vulnerability report

200

Reports submitted in first 6 hours

138

Valid vulnerability reports

$75k

Bounties paid

Defense Industrial Base VDP Pilot

12

Month pilot program

1,019

Vulnerability reports processed

400

Vulnerabilities remediated

$61m

Saved for taxpayers

Hack U.S.

7

Days

267

Security researchers

349

Valid vulnerability reports

$75k

Bounties paid

DoD DC3 VDP

100%

Response

11

Hours to triage

50k+

Reports received

2,738

Security researchers thanked

Strength in every layer

Built around a defense-in-depth strategy.

This layered approach creates a feedback loop that evolves with emerging threats, keeping you one step ahead.

Questions about VDP?

Consult our security experts.

According to the CISA binding operational directive 20-01, federal agencies must implement a VDP. The directive has many federal agencies asking questions such as:

How do we set up a system for quickly triaging vulnerabilities that both satisfies compliance requirements and doesn’t overwhelm our team?
How do we manage inbound vulnerability reports and communicate with external researchers safely and efficiently?
How do we satisfy all CISA requirements before the deadline without compromising our holistic security posture?

Our security experts are here to consult you on the best course of action for your agency.