Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Department of Homeland Security is planning to award up to four contracts as early as next month for vetted security researchers to find software bugs in DHS systems, including at live hacking events.
DHS released the “Hack DHS: Crowdsourced Vulnerability Assessment Services” request for proposals Aug. 3. Companies have until Aug. 15 to submit “phase one” proposals so DHS can complete an “advisory down-select.” Companies that get through the first phase will have until Aug. 30 to submit phase-two proposals, which includes technical approach, past performance and price documentation.
DHS plans to award at least three, but potentially four indefinite-delivery, indefinite-quantity contracts, according to the RFP documents. The agency could limit up to three of the awards to small businesses.
The contracts could last up to five years. The collective potential value maxes out at $43 million, according to the documents.
DHS is planning to award the contracts as early as mid-September.
Major software companies now routinely use crowdsourced security research to find bugs in their code. DHS is modeling its effort after the Defense Department’s “Hack the Pentagon” program, considered to be the first bug bounty program in the federal government.
John Pescatore, director of emerging security trends at the SANS Institute, says the bug bounty programs have proven successful because they use software experts to identify vulnerabilities at relatively low cost compared to other cybersecurity services.
“They’re really software people that do this for fun or extra income, or just they do it 24 hours a day because, they want to find [bugs],” Pescatore said. “So when they describe the vulnerability, they describe it in terms other developers understand versus what security people understand. The success has been the quantity of software bugs found per dollar spent, compared to a typical [penetration] testing engagement that you would do with a single contractor.”
DHS phased program
The forthcoming awards come as DHS looks to grow its “Hack DHS” bug bounty efforts. The department is expanding on a platform initially developed by the Cybersecurity and Infrastructure Security Agency, which last year selected firms Bugcrowd and EnDyna to launch a government-wide vulnerability disclosure policy platform.
Last December, DHS commissioned bug bounty hunters to find instances of the open-source Log4j computer bug across its public-facing information systems. Researchers found 17 previously unidentified assets that were susceptible to the critical vulnerability.
All told, during the first phase of the “Hack DHS” program, 450 security researchers identified 122 vulnerabilities, including 27 critical bugs. DHS awarded a total of $125,600 to researchers for finding the vulnerabilities, according to an April update.
The second phase of the program will involve live, in-person hacking events, while the third and final phase of the effort will “identify and review lessons learned” to inform plans for future bug bounties.
The solicitation document show DHS plans to do six “time boxed” challenges and two continuous challenges during the first year of the contract. Each contractor should also have the ability to support live hacking events lasting up to four days with between 15 and 50 security researchers.
DHS officials are ultimately looking to use bug bounty researchers to identify vulnerabilities in more of its critical, internal systems.
“We’re looking at different parts of the department, different critical systems and also, in some cases, even introducing in-person elements to this as we think about interacting with the operational technology environments as well,” DHS Chief Information Officer Eric Hysen said in May.
‘You’ve got to do something’
Agencies have increasingly embraced bug bounties as part of their cybersecurity programs. In 2020, CISA issued a binding operational directive requiring all civilian executive branch agencies to develop and publish a vulnerability disclosure policy. The Justice Department has also opened the door by announcing that it will not pursue good-faith cybersecurity research as a hacking crime.
As part of his work at SANS, Pescatore advises bug bounty companies and helps provide them with user feedback on their efforts. Based on the contract documentation, Pescatore says DHS appears to be putting together a carefully considered program.
But he said identifying the vulnerabilities can’t be the end of the story.
“You’ve got to do something — fix them ideally or figure out why they’re getting in there and stop them,” Pescatore said. “Because if you don’t fix why they’re getting in there, the next year, you will be paying another researcher to find identical vulnerabilities.”
Agencies face the challenge of working with contractors who develop and provide the vast majority of the government’s software. The White House is developing highly anticipated guidance for how agencies should confirm the security of the software they buy.
While strict security requirements are difficult to write into contracts, Pescatore says using a vulnerability disclosure program is one clear sign of a modern software company.
“One thing I’ve urged both government and private industry, if you’re doing a procurement for software, maybe you can’t get all this complex language in about application security and blah, blah, blah, but any evaluation criteria, at least ask them, ‘Do you use a managed bug bounty program?'” he said. “And if the answer is no, I guarantee probably one of their competitors is going to say yes.”