Ethical hacking company HackerOne has achieved authorization for use by federal agencies as the government prepares to create vulnerability disclosure programs for public-facing websites.
In a May 18 announcement, HackerOne announced it achieved an authorization through the Federal Risk and Authorization Management Program known as tailored low impact-software as a service. FedRAMP is a program inside the General Services Administration that approves cloud tools for use in the federal government.
HackerOne’s authorization is a significant step for the company, as agencies want to create vulnerability disclosure programs for their public-facing websites under a draft mandate released in November 2019 by the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.
Vulnerability disclosure programs allow ethical hackers to legally probe public-facing websites as long as they report vulnerabilities to the agency for remediation.
HackerOne’s FedRAMP authorization was sponsored by the GSA, which started using the company’s services in 2017 and later awarded it a multiyear contract.
The company’s credentials are also well-established inside the Department of Defense, where it runs a vulnerability disclosure program for the department’s outward-facing websites. So far, more than 12,000 vulnerabilities have been discovered.
It’s also provided several bug bounty programs for the military services, in which ethical hackers search for security gaps in specific service platforms and compete for prizes. The company previously partnered with the Air Force, Army and Marine Corps, as well as other internal DoD components.
“Achieving FedRAMP Tailored LI-SaaS authorization is a testament to HackerOne’s long-standing commitment to ensuring a secure environment for our U.S. government clients,” Lynn Chia, director of federal business at HackerOne, said in a statement. “This authorization underscores the momentum that HackerOne has achieved in the federal government and demonstrates our ability to help make our public sector customers’ digital transformations into security transformations.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.