Beyond a VDP: How a Challenge Brings Proactive Security to Your Agency

HackerOne Blog

The U.S. Federal Government has recently been pursuing a campaign to improve its agencies’ resistance to cyberattacks and reduce the federal government's overall cyber risk. In September 2020, CISA published its official Binding Operational Directive requiring all federal agencies to establish and operate a Vulnerability Disclosure Program (VDP)

Vulnerability Disclosure Programs create an effective means for researchers and other users to report discovered vulnerabilities and weaknesses. Because federal agencies have a significant impact on the general public and national security, CISA recognizes a reporting program such as a VDP as an “industry standard” for maintaining modern digital security.

However, VDPs are only the baseline when it comes to engaging with external researchers and hackers. A VDP is a reporting mechanism that makes it easy, effective, and safe to report vulnerabilities but they are not designed to encourage regular and targeted testing of an agency’s assets. This is because VDPs do not offer any financial or other tangible payment to finders. As a result, there is a practical limit on the time investment and skill level that hackers will invest in looking for vulnerabilities.

There is significant additional value to be gained from the global hacking community by expanding your program to include a bug bounty. The fundamentals and operation of a bug bounty program are the same as a VDP, but with the addition of monetary rewards paid to finders based on the severity and type of bug. With a bug bounty, professional hackers become a continuous testing tool  - a proactive measure to encourage thorough and targeted testing of in scope assets.

From a crowdsourced security maturity perspective, a bug bounty program is the next step after a VDP. However, bug bounties also require additional investments in time and money that may put them out of reach for some agencies. Bounties attract more findings and therefore require more time to triage and manage the program. In addition to the program fee, there is a  bounty pool fund that pays for vulnerabilities. For some agencies, a persistent bounty program may not be the right fit for a number of reasons, including resource or budget constraints, lower cyber risk or complexity, or insufficient size.

An alternative option that provides the benefits of deeper, targeted testing without the long-term operational costs of a permanent program is running a bug bounty challenge against your agency’s VDP assets. 

Benefits of a Challenge

A HackerOne Challenge is a time-bound engagement that gives an agency on-demand access to the security testing experience of our trusted global hacker community. Similar to a penetration test or other limited time engagement, Challenges provide control over the duration, scope, and participants that will test the scope. 

Challenges require a smaller, one-time investment compared to running a permanent program. For certain agencies and organizations, challenges run periodically (such as annually) may be the ideal method to capture new vulnerabilities with meaningful security impact in a budget-friendly way.  The results of a Challenge can be useful in helping an agency understand if and when it's necessary to consider a permanent bounty program.

A HackerOne Challenge can be set up and start in as little as two weeks. Depending on the length of the challenge, final results can be delivered in under two months. Challenges are highly customizable to fit any timeline. Because Challenges are a limited engagement the process of contract, approval, and scoping processes are simplified. 

The Department of Defense has operated a VDP with HackerOne since 2016. In 2022 they launched a bug bounty challenge titled Hack U.S. This was the first time the DoD provided monetary bounties, after years of running an active and successful VDP program. In just 7 days, hackers submitted 349 valid reports to the Hack U.S. Challenge.

HackerOne can run a Challenge in addition to any VDP, including those hosted by other commercial providers and self-hosted programs. HackerOne is FedRAMP certified.

During setup, HackerOne will select and invite hackers from our community with relevant skill sets and experience in the technology stack and vulnerability types that match an agency’s desired scope, which can, and sometimes should, be more limited than a public VDP.

If a bug bounty program or challenge has never been run against your assets, we encourage trying one out, even if you believe your assets are well-secured and hardened. Challenges are a rewards-based, invitation-only exercise against your same VDP assets, but with very different results. 

Learn more about the differences between a VDP and bug bounty and how professional hackers can benefit your agency in our webinar with Corben Leo, a security researcher from the Hack U.S. program.

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook