The White House
US Federal

Your Best Ally for VDP and Beyond

The Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive 20-01 requires civilian federal agencies to accept vulnerabilities from third-party reporters. But setting up a vulnerability disclosure program (VDP) is a complex, time-consuming task. HackerOne can work with you to build a strategy for meeting regulatory standards – on budget, on time, and without overwhelming your staff.

The top choice for those who protect our citizens

The only FedRAMP-authorized organization in our space, HackerOne delivers safe, trusted, and efficient security for the Department of Defense, General Services Administration (GSA), all branches of the Armed Forces, and other federal agencies.

Need help developing and publishing a VDP because of BOD?

HackerOne’s federal experts are ready to assist you with your Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive 20-01 disclosure response requirements.

Contact Us

VDP E-Book

Questions about VDP? Consult our experts

According to the CISA binding operational directive 20-01, federal agencies must implement a VDP. The directive has many federal agencies asking questions such as:

  • How do we set up a system for quickly triaging vulnerabilities that both satisfies compliance requirements and doesn’t overwhelm our team?
  • How do we manage inbound vulnerability reports and communicate with external researchers safely andefficiently?
  • How do we satisfy all CISA requirements before thedeadline without compromising our holistic securityposture?

There are five steps to effectively reducing the risk to your digital assets and data. Our team of security experts are ready to consult you on the best course of action for your agency. Contact us today.

Veteran Using Laptop

Serving those who serve our nation

  • Federal Civilian Agencies
  • Defense Agencies
  • Government Contractors
  • Aerospace Companies
  • State and Local Governments
Hack the Pentagon

Hack the Pentagon

Since 2016, HackerOne has partnered with the U.S. Department of Defense to defend their assets, starting with Hack the Pentagon‘s vulnerability disclosure program. Kris Johnson, Director of the VDP at the DoD, says “researchers are telling us what’s wrong with our systems. We have a ton of success stories.” That success has encouraged the DoD to proactively embrace crowdsourced security, saving $64 million and achieving nearly 800% ROI.

Hack the Army

Hack the Army

In partnership with the U.S. Army, HackerOne designed a program that targeted operationally significant assets. The bug bounty program attracted nearly 400 hackers and surfaced about 120 vulnerabilities -- including a critical bug that allowed bad actors to access an internal DoD database via the public-facing

US Department of Defense Logo

We saved more than $1M from this $150K investment—thus making the DoD more secure AND saving a boat load of money. It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million.

A FedRAMP Authorized Vendor

FedRAMP is a U.S. federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services to ensure that the proper level of security is in place when government agencies seek to access them. We are FedRAMP Authorized at the Tailored Low-Impact SaaS level. Our authorization package can be obtained by agencies from the FedRAMP PMO.

Recommended HackerOne Solutions for the US Federal Government

Vulnerability Disclosure

Establish the process for and receive reporting of unknown or harmful security vulnerabilities to the proper person or team in your organization.

Bug Bounty

Trusted hackers continuously test for vulnerabilities with defined scope of coverage.

HackerOne Clear

Partner with proven, background-checked security researchers with the skills and reputation to match your specific needs.

Accreditation, Compliance, and Partners

Accreditation and Compliance
  • FedRAMP Tailored LI-Saas Authorized
  • ISO 27001: Info Sec Mgmt. System Certified
  • SOC 2 Type II
  • C5
  • MTEC