The Defense Department has expanded its “Hack the Pentagon” bug bounty program to include hardware, physical systems and high-value defense assets.
The expanded program, which the DOD announced in late October, indicates that the bug bounty programs have been successful and that the Pentagon is willing to allow private sector companies to review vulnerabilities in more sensitive IT systems. The bug bounties are designed to identify and resolve security vulnerabilities across targeted DOD websites and other IT assets and pay cash to highly vetted security researchers, or “ethical hackers,” to discover and disclose bugs.
The DOD awarded the three-year contract to cybersecurity firms Synack, HackerOne and Bugcrowd to provide vetted hackers for continual assessments of defense websites, hardware and physical systems. The contract has a maximum value of $34 million.
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” Chris Lynch, director of the Defense Digital Service, said in a statement. “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows up to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We’re excited to see the program continue to grow and deliver value across the Department.”
The first Hack the Pentagon program occurred in 2016, as the Pentagon used crowdsourced cybersecurity expertise to detect hundreds of vulnerabilities in its public websites. Since then, the DOD has conducted a total of 11 bug bounty programs, including sessions examining the Army, Air Force, Defense Travel Service and, most recently, the Marine Corps in August, FedScoop reports.
DOD to Explore Vulnerabilities in More Sensitive Systems
In 2016, Hack the Pentagon established two contract vehicles that allow the department to run bug bounty assessments: One is aimed at public-facing web sites and applications, while the other focuses on more sensitive, internal systems. The new contract expands the program’s scope and capacity for bounties targeting private DOD assets, “which include the tailored and bespoke products and systems for meeting defense mission needs,” according to a DOD statement.
“The contract will enable vetted hackers to simulate real and insider threats to certain systems, bringing in valuable new security perspectives to emulate combat adversaries and mitigate risk,” the statement says.
Notably, new features of the enhanced program will enable DOD components to run continuous, year-long assessments of high-value assets, according to the Pentagon. That way, the department can “maintain an open dialogue with vetted hacker participants throughout the development lifecycle of a system, which is particularly valuable as software and other assets are regularly updated.”
The expanded program will also allow the DOD to conduct assessments on a broader range of assets, such as hardware and physical systems. That likely also will include more sensitive systems.
While he declined to go into what those specific systems will be, HackerOne CEO Marten Mickos told Fifth Domain that the contract will focus on DOD systems that are more critical and perhaps more sensitive.
“We are stepping one step into more sensitive systems,” Mickos said. “We started from the very public ones, demonstrated amazing, amazing success there, so therefore [DOD is] saying let’s apply this same model and the same vendor to the more sensitive systems that we have,” he said.
Through Hack the Pentagon, the Defense Digital Service works with DOD components and external government agencies to advise on bug bounties, crowdsourced security, vulnerability disclosure policies, and private sector best practices and approaches.
Since the launch of the crowdsourced security program, thousands of talented ethical hackers have worked for DOD, and more than 8,000 valid vulnerabilities have been reported.
The bug bounty ethos is being embedded in the Pentagon’s cybersecurity culture. DOD’s Cyber Strategy emphasizes the importance of identifying crowdsourcing opportunities to find and mitigate vulnerabilities more effectively: “The Department will continue to identify crowdsourcing opportunities, such as hack-a-thons and bug-bounties, in order to identify and mitigate vulnerabilities more effectively and to foster innovation.”