The Department of Homeland Security last Thursday issued a final solicitation for its new program aimed at allowing vetted security researchers to hack the department’s networks and information systems to help find and close cybersecurity gaps.
The solicitation follows a decision last December by Homeland Security Secretary Alejandro Mayorkas to make the bug bounty program permanent after the department conducted a successful pilot evaluation that began in 2018. The program is modeled on one done at the Department of Defense.
In March, DHS issued a Request for Information and a draft performance work statement to outline its plans for the permanent program and obtain feedback ahead of the final solicitation.
Contractors must have their own vulnerability discovery and disclosure platform, the final work statement says.
Work under the upcoming indefinite-delivery, indefinite-quantity contract vehicle will cover network, system, and information systems to include web applications software, source code, hardware, software-embedded devices, and other technology as solicited across DHS.
DHS anticipates awarding the contract in August for a one-year base period and up to four one-year options. Responses are due by June 23.