CybersecurityDoD' “Hack the Pentagon” follow-up initiative

Published 21 October 2016

The Defense Department has awarded a contract to HackerOne and Synack to create a new contract vehicle for DoD components and the services to launch their own ”bug bounty” challenges, similar to the “Hack the Pentagon” pilot program, with the ultimate objective to normalize the crowd-sourced approach to digital defenses.

The Defense Department has awarded a contract to HackerOne and Synack to create a new contract vehicle for DoD components and the services to launch their own ”bug bounty” challenges, similar to the “Hack the Pentagon” pilot program, with the ultimate objective to normalize the crowd-sourced approach to digital defenses, Pentagon officials announced today.

“We made sure this was openly and fairly competed, and that everyone was qualified, including nontraditional DoD firms who could bid,” said Lisa Wiswell, bureaucracy hacker with the Defense Digital Service team.

Two-pronged effort
DOD says that at Defense Secretary Ash Carter’s direction, DoD hosted the first bug bounty program in the federal government last spring and is prepared to launch a second, two-pronged effort in partnership with HackerOne and Synack. The contract with HackerOne will allow DoD to expand upon the successful Hack the Pentagon pilot in continuing to secure public facing assets, Pentagon officials added.

DoD is working with Synack in tandem to allow select groups of highly vetted researchers to identify further ways to strengthen the department’s more sensitive assets.Initiatives like bug bounties are designed to identify and resolve security vulnerabilities within DoD Web sites.

“These contract vehicles will create an easier and faster path for components and services to set up their own challenges,” Wiswell said. “Considering the tremendous cost-benefit of crowdsourcing talent, it’s proven that you’ll get more bang for your buck than with some of the other traditional security tools we’ve used in the past.”

Wiswell said another benefit of the program is allowing the chance for private citizens to improve the government that services them. “It’s an amazing way to not only source this unique expanse of talent, but also for these individuals to use their skills toward helping secure our nation’s assets,” she said.

Hack the Pentagon
The original Hack the Pentagon program was led by the Defense Digital Service, a team Carter created in November to bring in talent and best practices from the private sector to transform the way DoD approaches technology. DDS contracted with for the pilot effort, which allowed more than 1,400 registered hackers to test the defenses of select open source DoD Web sites such as Defense.gov. Hackers who identified security gaps that qualified as valid vulnerabilities were then rewarded with a corresponding bounty price.

As a result of this pilot, 138 unique and previously undisclosed vulnerabilities were identified by security researchers and remediated in near real-time