DOD Launching Expanded Hack the Pentagon Bug Bounty Program

The Hack the Pentagon program was such a success that the DOD is launching a longer-term effort and has contracted with HackerOne and Synack to run it.

bug bounty

The Hack the Pentagon bug bounty program—which Defense Secretary Ashton Carter announced last March at the RSA security conference—lasted several weeks, but it was so successful that the Department of Defense is now following up with an expanded initiative.

The new, expanded DOD bug bounty effort will be operated by HackerOne and Synack. In a bug bounty program, security researchers are rewarded for responsibly disclosing security bugs.

"The first Hack the Pentagon challenge was a big, brave move by the DOD and Secretary of Defense Ash Carter," HackerOne CEO Marten Mickos, told eWEEK. "They knew it could be useful, but they couldn't know how useful. They also worried that it might backfire."

As it turns out, the results of the initial Hack the Pentagon bug bounty program were very positive: 1,400 security researchers participated and 138 serious vulnerabilities were discovered that the DOD fixed quickly.

Building on that success, the new program is a three-year engagement and includes multiple active programs across the internet domains of the Pentagon, Mickos explained.

"If the first Hack the Pentagon was a pilot project, this is now the real thing," Mickos said.

What's also different about the new expanded effort is that DOD experts will be serving as advisors and guides to other federal agencies that are considering having a bug bounty program.

The first Hack the Pentagon effort was also managed by HackerOne, but with the expanded effort, Synack is now also part of the program. Mark Kuhr, Synack founder and CTO, explained that there are two separate contracts for HackerOne and Synack.

The HackerOne contract is to protect public-facing assets and domains. It is modeled after an open bug bounty program with public disclosure and open participation from any researcher.

In contrast, Synack's contract is modeled after a private, managed service model and is focused on more sensitive, mission-critical IT assets, Kuhr said. In the Synack model, researcher participation is limited to a selective group of highly screened and vetted security researchers.

"Most importantly, we anticipate times when Synack and HackerOne will work on very separate assets owned by separate DOD teams and there will be times when Synack and HackerOne will team on assets owned by one team," Kuhr told eWEEK. "Synack and HackerOne are both committed to the integrity of Crowdsourced Security Testing and to respecting our researchers, so we will be happy to work together on standards around discovery and reporting so we can offer the best results possible to the DOD."

With the upcoming U.S. election and a change in presidential administration, it's not entirely clear if there will be any impact on the expanded bug bounty program at the DOD. The value of bug bounty programs has been demonstrated and proven across party lines and political boundaries, Mickos said.

"Trump and Clinton have both spoken out in favor of a stronger cyber-security posture in the agencies of the federal government," Mickos said. "As a matter of fact, Hillary Clinton recommends that every government agency run bug bounty programs modeled after Hack the Pentagon."

Kuhr noted that while the two presidential candidates are aligned on very few issues, the challenges of this cyber-war and the need for innovative solutions is one area that both candidates agree on.

"These contracts have been written to enable multiple challenges over three years because using the right crowd of ethical hackers just makes sense, independent of who is in charge," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.