“Bug bounty companies have a solid track record with federal agencies, but the relationship is an unusual one, as far as IT services go: The platforms give freelance hackers access to specific parts of an agency’s technology, and those individuals earn money for identifying vulnerabilities. The companies don’t touch much of an agency’s tech directly.”
“That’s why a recent announcement by HackerOne stuck out among the usual flow of press releases from companies touting new authorizations under the Federal Risk and Authorization Management Program. The San Francisco firm said May 18 that it had received FedRAMP’s Tailored Low-Impact Software-as-a-Service (LI-SaaS) authorization, making it the first bug bounty company to get one.”
“LI-SaaS is for low-risk, low-cost services, but here’s why it matters: HackerOne says the designation uniquely positions it to capitalize on a forthcoming requirement that all federal agencies adopt vulnerability disclosure policies (VDPs). The Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 20-01, released Nov. 27, remains in draft form. But the directive will require all agencies to have VDPs permitting outside security research into unknown system vulnerabilities.”
“In essence, the government is looking for ways to ensure that hackers can do the right thing whenever they find something wrong. Unlike bug bounties, VDPs offer a reactive, ‘see something, say something’ approach without a reward, Reed Loden, security director at HackerOne, told FedScoop.”
“’Definitely this will be a big boon in the bug bounty and vulnerability disclosure space,’ Loden said…” Read the full article here.
Source: What one bug bounty platform’s FedRAMP authorization means for the industry – By Dave Nyczepir, May 26, 2020. FedScoop.
