The Department of Homeland Security last Thursday issued a Request for Information and a draft performance work statement outlining its plans to implement a bug bounty program that will allow vetted researchers to probe its networks for cybersecurity vulnerabilities.
The “Hack DHS” program, modeled after a similar effort instituted by the Defense Department, was launched as a permanent program following a successful pilot evaluation. DHS also points out that bug bounty programs are widely used in the private sector as best practice to find and close cybersecurity gaps.
Now DHS is reaching out to potential contractors for comment on the draft work statement and said it plans to award a potential five-year indefinite-delivery, indefinite-quantity contract for crowdsourced vulnerability and disclosure activities across its full range of networks, systems, and information, including web applications, software, source code, software-embedded devices and other technologies as they are solicited across the department.
“A bug bounty is a crowd-sourced penetration test, where security researchers are incentivized to find vulnerabilities (bugs) in systems in return for financial payments (bounties),” the draft work statement says. “But bounties are tightly controlled and monitored engagements facilitated by a contractor and the DHS Chief Information Security Officer (CISO).”
DHS says the winning contractor will have to have a “pre-existing” research community of more than 1,000 domestic and international individuals that can meet the goals of a task order within the contract. Responses to the RFI are due by March 17.