Following Election Hacks, DoD Launches Crowdsourced Security Initiative with $7 Million in Contracts


Earlier in the year, the Department of Defense started a pilot program called "Hack the Pentagon." DoD invited vetted hackers to test the security of its websites and networks amidst growing cyber security concerns. Following the news of foreign hackers targeting the election and government offices, the DoD is taking the initiative even further. The Department is launching a two-pronged program with HackerOne and Synack for a total of $7 million in contracts.

DoD awards $7 million crowdsourced security contracts to Synack and HackerOne

After inviting white hat hackers to seek vulnerabilities in the Department's 488 websites under a bug bounty program, DoD is strengthening its security initiatives even further. The "Crowdsourced Security Initiative" will benefit from crowd-sourced security intelligence, focusing on the power of security researchers to scour the DoD’s applications, websites and networks for vulnerabilities.

HackerOne will be responsible for public facing properties, while Synack will run mission-critical and sensitive IT assets. Hack the Pentagon was already managed by HackerOne, who will continue to run bug bounty programs. Synack, on the other hand, gets a new contract that is designed after private bounty incentive model, where only the highly vetted researchers will focus on the most sensitive IT assets of the DoD.

DoD has joined the "list of forward-thinking global enterprises, recognizing that the only way they can stay ahead of the over 77,000 annual cyber incidents with which U.S. Federal Government agencies face each year, is to adopt a model that can scale to the threats," Jay Kaplan, CEO of Synack wrote. This is the largest government contract ever awarded in this space.

The complete press release is attached below.

San Francisco, CA – October 20, 2016 — The U.S. Department of Defense (DoD) announced today it awarded contracts for crowdsourced vulnerability discovery and disclosure programs to HackerOne and Synack. The contracts will enable DoD to create a vehicle for future crowdsourced challenges and reward the research community to identify and resolve security vulnerabilities within DoD digital assets. The two-pronged effort in partnership with Synack and HackerOne will harness the power of security researchers to scour the DoD’s applications, websites and networks for vulnerabilities.

After the success of the “Hack the Pentagon”pilot led by Defense Digital Services and managed by HackerOne, the DoD will launch a full scale program to include more public facing properties as well as mission-critical assets through two distinct contracts. The first contract, awarded to HackerOne, will allow DoD and HackerOne to run bug bounty challenges similar to Hack the Pentagon to protect public facing assets and domains. The new contract, awarded to Synack, is modeled after a private, managed bounty incentive model utilizing only highly vetted researchers and is focused on the DoD’s sensitive IT assets.

The RFP was issued in August 2016. After completing a thorough and competitive process for each of the contracts, the DoD, moving with a pace more common to a Silicon Valley company, awarded these two contracts in September 2016. The combined contracts are valued at $7 million and are expected to cover up to 14 challenges and reward hundreds of security researchers.

“As adversaries become more sophisticated and the threat environment continues to evolve, maintaining the highest levels of security has never been more important,” said Mark Wright, Spokesman at Office of the Secretary of Defense. “By partnering with these leading crowdsourced security companies, we can take a much more innovative, diverse, scalable and effective approach to better protect and defend our digital assets.”

"No government or organization is so powerful that it does not need outside help identifying security issues. Working with the external hacker community will supplement the crucial cybersecurity work that DoD is doing internally,” said Marten Mickos, CEO HackerOne. “Securing our online society is paramount and this puts the U.S. federal government in the forefront.”

“This award really marks a turning point in harnessing innovation to secure the nation’s most critical assets. We now have one of the largest enterprises carrying some of the world’s most sensitive information embracing Crowd Security Intelligence™,” said Jay Kaplan, CEO of Synack. “As attacks become more sophisticated, the DoD is taking a much needed innovative approach to security by harnessing the world’s best security researchers. Over the last two years we have been able to deliver actionable results to our F500/G500 customers. Now it’s rewarding to be able to deliver those same benefits to the DoD.”

HackerOne and Synack are the leaders in the crowdsourced security industry and will help the DoD to quickly and efficiently launch challenges to help secure DoD assets and increase adoption of the crowdsourced approach to security. Secretary of Defense, Ash Carter‘s assessment of the initial Hack the Pentagon pilot was that they got higher efficacy and superior results when compared to a more traditional testing approach.


About HackerOne

HackerOne is the world’s most popular bug bounty platform, connecting organizations with the world's largest community of highly-qualified hackers. More than 600 organizations, including The U.S. Department of Defense, General Motors, Uber, Twitter, GitHub, Kaspersky Lab, Square, Dropbox and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne customers have resolved more than 31,000 vulnerabilities and awarded hackers more than $10,000,000 in bug bounties. HackerOne is headquartered in San Francisco. For more information, please visit

About Synack

Based in Redwood City, California, Synack is a security company revolutionizing how enterprises view cybersecurity: through a hacker’s eyes. Synack’s private, managed crowdsourced security solution arms clients with hundreds of the world's most skilled, highly vetted  ethical hackers who provide a truly adversarial perspective of clients’ IT environments. Synack’s confidential client base is comprised of some of the largest F500/G500 enterprise organizations across banking and financial services, healthcare, consumer goods and retail, manufacturing, technology  and the U.S. Federal Government. All engagements are conducted by Synack’s vetted skilled professionals and are treated with absolute privacy. Synack was founded in 2013 by former NSA security experts Jay Kaplan, CEO, and Dr. Mark Kuhr, CTO. For more information, please visit