The Department of Defense announced today that it has awarded a contract to HackerOne and Synack to create a new contract vehicle for DOD components and the services to easily launch their own ‘bug bounty’ challenges, similar to Hack the Pentagon, with the ultimate objective to normalize the crowd-sourced approach to digital defenses.
At Secretary Carter’s direction, DOD hosted the first bug bounty program in the federal government last spring, and is prepared to launch a second, two-pronged effort in partnership with HackerOne and Synack. Initiatives like bug bounties are designed to identify and resolve security vulnerabilities within DOD websites.
The original Hack the Pentagon program was lead by the Defense Digital Service, a team created by Secretary Carter last November to bring in private sector talent and best practices to transform the way DOD approaches technology.
The DDS contracted with reputable bug bounty platform, HackerOne, for the pilot effort which allowed over 1,400 registered hackers to test the defenses of select DOD websites. The reported security gaps that qualified as a valid vulnerability were then rewarded with its corresponding bounty price.
As a result of this pilot, 138 unique and previously undisclosed vulnerabilities were identified by security researchers and remediated in near real-time by the Defense Media Activity.
Following the success of Hack the Pentagon, Secretary Carter recognized the value of the program and directed other DOD components and military services to utilize the bug bounty concept as a “valuable tool in their own security toolkit.”
This contract vehicle for a crowd-sourced security solution can also serve as a road map for other departments and agencies across the federal government to adopt and implement as well.
The DDS will work with DOD components and external government agencies in a consultative role to advise on the execution of future programs.
Release No: NR-373-16
Oct. 20, 2016