U.S. Government’s First Bug Bounty Initiative Turns Two; Issues Awards to Further Strengthen Internal DOD Assets
WASHINGTON, DC -- The Department of Defense announced today efforts to expand its successful ‘Hack the Pentagon’ crowdsourced security program. DOD awarded contracts to three private-sector Silicon Valley firms to boost the Department’s capacity to run bug bounties aimed at strengthening security for internal DOD assets.
Hack the Pentagon bug bounties are designed to identify and resolve security vulnerabilities across targeted DOD websites and assets and pay cash to highly vetted security researchers or ‘ethical hackers’ to discover and disclose bugs. DOD will continue to build out bug bounties for public-facing websites and pursue other crowdsourced security tactics.
As cyber threats persist, the Defense Department is working to identify innovative approaches to bolster security, combat malicious activities, and build trusted private sector partnerships to counter threats. Many of the nation’s largest technology firms and Fortune 500 companies use crowdsourced hacking programs as a low-cost tool to augment and strengthen the security and delivery of digital services.
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” said Chris Lynch, Director of the Defense Digital Service. “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows up to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We’re excited to see the program continue to grow and deliver value across the Department.”
The Defense Department launched Hack the Pentagon in 2016 as the federal government’s first bug bounty program. Several months later, as part of the crowdsourced security initiative, DOD launched its Vulnerability Disclosure Policy, which provides a legal avenue for security researchers to find and disclosure vulnerabilities in any DOD public facing systems. The Hack the Pentagon program has since enabled DOD to identify and remedy thousands of security vulnerabilities.
New Private Sector Partnerships to Enhance Bug Bounties Targeting Internal Assets
In 2016, Hack the Pentagon established two contract vehicles that allow the department to run bug bounty assessments: one is aimed at public-facing web sites and applications, while the other focuses on more sensitive, internal systems. The contract awards announced today will expand the program scope and capacity for bounties targeting private DOD assets which include the tailored and bespoke products and systems for meeting defense mission needs.
The private sector partnerships will allow DOD to leverage the collective hacking communities and platforms of three Silicon Valley crowdsourced security firms: Bugcrowd, HackerOne and Synack. Including the three firms on the new contract enables the Department to tap into a wide variety of expertise and technical specialization as security assessments scale in type and complexity. The contract will enable vetted hackers to simulate real and insider threats to certain systems, bringing in valuable new security perspectives to emulate combat adversaries and mitigate risk.
New features of the enhanced program will enable DOD components to run continuous, year-long assessments of high-value assets. Through this model, DOD can maintain an open dialogue with vetted hacker participants throughout the development lifecycle of a system, which is particularly valuable as software and other assets are regularly updated. The expanded program will also allow the DOD to run assessments on broader range of assets such as hardware and physical systems.
Hack the Pentagon
Hack the Pentagon is spearheaded by the Defense Digital Service (DDS), a DOD team charged with bringing in private sector talent and best practices to transform the way the Department approaches technology. Through Hack the Pentagon, DDS works with DOD components and external government agencies to advise on bug bounties, crowdsourced security, vulnerability disclosure policies, and private sector best practices and approaches.
Since the launch of the crowdsourced security program, thousands of talented ethical hackers have engaged with the DOD, and more than 8,000 valid vulnerabilities have been reported.
Promoting Crowdsourced Digital Defense
DOD’s Cyber Strategy emphasizes the importance of identifying crowdsourcing opportunities to identify and mitigate vulnerabilities more effectively:
"The Department will continue to identify crowdsourcing opportunities, such as hack-a-thons and bug-bounties, in order to identify and mitigate vulnerabilities more effectively and to foster innovation.”
In addition to expanding and enhancing DOD’s private bug bounties, the DDS is working to bring the benefits of crowdsourced security approaches across the DOD and build on the success of Hack the Pentagon as a valuable tool for enhancing security.
DDS has promoted a strong dialogue among ethical hackers, the security researcher community, and cyber experts across the DOD to exchange ideas, share perspectives and security approaches, and identify new training opportunities for military cyber talent. DDS has also begun to focus recruitment efforts toward the security research community with the aim of bringing in technical talent with unique security perspectives.
DDS continues to serve as a resource to other government agencies tasked with developing and launching their own disclosure policies and bug bounty programs. DOD agencies, services or other interested parties can send contract inquiries to
hackthepentagon@dds.mil.