The Department of Defense is expanding its bug bounty program, awarding $34 million in contracts to three companies, as the department looks to task ethical hackers with finding vulnerabilities beyond public facing domains.
DoD’s Defense Digital Service (DDS) has tasked cyber security companies HackerOne, Bugcrowd and Synack with running programs through 2021 to pay hackers for discovering network flaws that will now include private Pentagon assets.
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” Chris Lynch, director of DDS, said in a statement. “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows up to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We’re excited to see the program continue to grow and deliver value across the department.”
Since 2016, bug bounty programs in the Pentagon and across the services have uncovered over 8,000 network security vulnerabilities.
The new contracts will expand the program to search for flaws in “tailored and bespoke products and systems for meeting defense mission needs,” including private assets, according the Pentagon.
“HackerOne has done six challenges related to public-facing assets and will continue with more in the future. Functional Area 2 is the second portion of the Hack the Pentagon contract, which is new to HackerOne and what we’re announcing today. It’s related to government assets that aren’t in the public domain,” a HackerOne spokeswoman told Defense Daily.
Jay Kaplan, CEO of Synack, said the expansion of the bug bounty program is a signal that low-cost security initiatives will remain a priority for the Pentagon.
“Crowdsourced security is gaining traction in the market, and now considered a best practice by the US government. Agencies across the government are increasingly looking to Synack’s crowdsourced security model for scalable, effective, and trusted testing,” Kaplan said in a statement. “In an industry that’s often seen as conservative and sluggish, we applaud the DoD for being bold leaders in adopting this innovation first.”
Bugcrowd is the latest contractor to join HackerOne and Synack, which have both worked on the effort since the initial Hack the Pentagon in 2016.
“Bugcrowd’s proven platform and Crowd of researchers brings a wide variety of experience and technical specialization to handle the complexity of constantly changing attack surfaces that the DoD – or any organization – will face in the coming years,” Ashish Gupta, the company’s CEO, said in a statement.
The Pentagon’s most recent bug bounty program, Hack the Marine Corps, paid out $150,000 to ethical hackers who reported 150 network security flaws (Defense Daily, Oct. 3).