The Department of Homeland Security (DHS) has issued a solicitation for Hack DHS – a multi-year bug bounty program – to procure services in support of the program going into the future and carrying a contract value of up to $43 million.
In accordance with the SECURE Technology Act, DHS in December 2021 approved the multi-year bounty program “using proven crowd-sourced cybersecurity assessment methodologies.” The Act allows DHS to provide compensation to researchers who evaluate DHS’ information systems through mimicking malicious behavior.
Through the new solicitation, the agency is seeking services that will assist in proactively protecting DHS’ networks and systems that support mission-essential and high-valued assets critical for daily operations.
Through an Indefinite Delivery, Indefinite Quantity (IDIQ) contract vehicle, the request for proposals (RFP) calls for six time-boxed challenges and two continuous challenges during the contract’s first year, then up to 12 time-boxed and five continuous challenges in the optional contract years following that.
DHS is looking to award up to four IDIQ contracts through the RFP, with each covering a one-year base period, with four one-year optional years. In total, the contracts hold a cumulative value of $43 million.
“The resultant IDIQ contract will be used to conduct crowdsourced vulnerability discovery and disclosure activities across the full range of networks, systems, and information, including web applications, software, source code, software- embedded devices and other technologies as solicited across the whole Department of Homeland Security, or other assets as deemed appropriate by the program office,” the RFP says.
Submissions are due no later than August 15.