Request for proposals

DHS Seeks Proposals for Permanent Bug Bounty Program

The Department of Homeland Security has issued a request for proposals for a permanent bug bounty program, which would crowd-source cybersecurity testing services from vetted researchers.

DHS intends to issue a multiple-award indefinite-delivery/indefinite-quantity contract worth up to $43.16 million for the solicitation, according to the RFP posted on SAM .gov.

The contractor is required to have a pre-existing relationship with a security research community with at least 1,000 domestic and international members.

In addition, the awardee will maintain a vulnerability discovery and disclosure platform capable of securely displaying research reports, actively managing researcher access to assets and tracking the progress of ongoing assessments. Responses are due June 23.

The program’s scope will cover all networks, systems and information systems across the DHS, among other assets identified by the responsible program office.

DHS issued the RFP following the conclusion of its Hack DHS pilot bug bounty program, which ran from December 2021 through April 2022.

In a statement, Secretary of Homeland Security Alejandro Mayorkas, a 2021 Wash100 winner, said that Hack DHS shows the department’s commitment to keeping up with the increasing sophistication of cyber threats.

DHS added that it launched the pilot to create a template that other government agencies of all sizes can use to build their cybersecurity programs.

Hack DHS itself was modeled after the Department of Defense’s Hack the Pentagon bug bounty program.