DoD advances second phase of 'Hack the Pentagon'
- By Kris Osborn
- Oct 21, 2016
The Department of Defense is advancing its “Hack the Pentagon” program into a new, second-phase effort aimed at finding additional security vulnerabilities.
HackerOne and Synack were awarded DoD contracts to launch their own “bug bounty” challenges with a goal of normalizing crowd-sourced approaches to digital defenses, a Pentagon statement said.
“At Secretary Carter’s direction, DOD hosted the first bug bounty program in the federal government last spring, and is prepared to launch a second, two-pronged effort in partnership with HackerOne and Synack,” DOD officials said.
“These contract vehicles will create an easier and faster path for components and services to set up their own challenges,” said Defense Digital Service member Lisa Wiswell said. “Considering the tremendous cost-benefit of crowdsourcing talent, it’s proven that you’ll get more bang for your buck than with some of the other traditional security tools we’ve used in the past.”
The original pilot bug bounty program with HackerOne allowed more than 1,400 registered hackers to test the defenses of selected DoD websites.
“As a result of this pilot, 138 unique and previously undisclosed vulnerabilities were identified by security researchers and remediated in near real-time by the Defense Media Activity,” DoD officials explained.
The new effort is multi-pronged in that is seeks to both expand the volume of DoD websites tested for security and increase participation and collaboration among partner federal agencies with a similar interest in better protecting government networks.
Following the success of Hack the Pentagon, Carter recognized the value of the program and directed other DoD components and military services to adopt the crowd-sourced security concept, according to a Pentagon report.
“I’m directing all DoD components to review where bug bounties can be used by them as a valuable tool in their own security tool kit,” Carter said at the Hack the Pentagon ceremony in June. “We’re going to include incentives in our acquisition guidance and policies so that contractors who work on DoD systems can also take advantage of innovative approaches to cybersecurity testing.”