Synack and IRS join forces for private bug bounty program


Written by

The Internal Revenue Service has awarded a $2 million sole-source contract to a crowdsourced security company to penetration test its computer networks using a global network of vetted white-hat hackers.

Redwood City, Calif.-based Synack, Inc. announced Tuesday it got the IRS contract after a pilot at the agency this spring — and after being selected earlier this year by the Pentagon to co-lead a follow-up effort to “Hack the Pentagon” — the first bug bounty program in the federal government.

“We are excited to see vital government bodies, like the IRS and [Department of Defense], move even more quickly than many enterprises to implement our innovative crowdsourced security approach,” said Synack CEO Jay Kaplan in a release. Kaplan and his co-founder CTO Mark Kuhr left the NSA to found the company, which has pioneered “private crowdsourcing” using a highly vetted “global community” of “skilled ethical hackers,” according to Kaplan.

Unlike conventional, open-crowd bug bounty programs, Synack says it rigorously vets and tracks its white-hat hackers “ensuring the customer has continuous visibility and management over all Synack Red Team activities.”

“This transparency was a key differentiator for the IRS,” according to to Kaplan, since these added management features make the product suitable for “the government’s [most] sensitive IT assets.”

The IRS said in procurement documents that the private crowdsourcing model “has been publicly adopted by U.S. intelligence agencies, including the FBI.”

The details of the contract are confidential, and a company spokesman referred CyberScoop to IRS Commissioner John Koskinen’s comments that the agency’s cybersecurity focus is to “prevent criminals from accessing taxpayer information stored in our databases.”

Kaplan said the company would now be offering its services to other federal agencies. “As attackers and threats become more savvy, federal agencies are recognizing that advanced security is paramount,” he noted. Synack Government would provide protection tailored to “some of the most sensitive transactional data and mission-critical IT assets in the country.”

When DoD announced the contract vehicle for the “Hack the Pentagon” follow-up, Defense officials expressed the hope that their employment of a crowd-sourced security model could serve as a “road map” for other departments and agencies across the federal government to adopt and implement as well.