The Pentagon’s Defense Digital Service (DDS) last week launched a year-long effort to give vetted researchers an opportunity to probe the service’s public facing internet assets for cybersecurity vulnerabilities.
The continuous bug bounty is a departure from the traditional short-term bounties to further strengthen networks.
“We hope to set an example in DoD that running continuous bounties strengthens our assets and sets a precedent that continuous checks on vulnerabilities is achievable and scalable to support obtaining quality data,” Jennifer Hay, director of the Defense Digital Service within the Chief Digital and Artificial Intelligence Office (CDAO), said in a statement.
The continuous bug bounty has an option to extend beyond a year. The bounty will be managed by Bugcrowd.
The bug bounty also has a component that allows Bug Crowd to host a rapid hunt for a vulnerability.
The “rapid response capability” will allow researchers to “hunt for a specific, exploitable critical vulnerability across the entirety of DoD public-facing infrastructure in less than 72 hours,” the Digital Service said. “This will strengthen our cyber resiliency if we run into the next widespread/critical vulnerability.”
Starting with the public-facing DDS assets that include dds.mil and all subdomains, hackthepentagon.mil, and code.mil, the continuous bug bounty will scale to the CDAO and beyond.
Once the continuous bug bounty is tested, it will be opened to public submissions.