Defense

DOD extends and expands bug bounty program

virus bug in program code By pixeldreams.eu Royalty-free stock illustration ID: 85711637 

The Department of Defense and the Digital Defense Services have awarded another set of contracts under their "Hack the Pentagon" bug bounty program to security firms HackerOne, Synack and Bugcrowd.

The awards to the three vendors were made on the Crowdsourced Vulnerability Discovery and Disclosure contract vehicle, which has a ceiling value of $34 million

DOD made the first awards on its bug bounty program in 2016. The new awards will broaden the focus to "high-value" DOD assets, according to a Pentagon news release. Previous bug bounties have focused on DOD's public facing websites as well as sensitive systems. The program provides an avenue for independent security researchers to safely probe DOD websites, systems and networks for software vulnerabilities without running afoul of the law. Researchers who discover flaws that are verified by DOD are often eligible for monetary compensation.

DOD has been one of the most aggressive federal agencies on bug bounty programs, including efforts focused on finding vulnerabilities at the Pentagon, the Army, the Air Force, the U.S. Marine Corps and DOD's enterprise travel system. The programs have identified thousands of vulnerabilities present in military software and doled out hundreds of thousands of dollars to researchers along the way.

"When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative," said Chris Lynch, director of the Defense Digital Service. "Expanding our crowdsourced security work allows up to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets."

The program's success has led to other agencies, like the General Services Administration, to implement similar programs, while Congress has moved to compel the Department of Homeland Security and others to do the same.

The Trump administration's IT modernization plan pressed federal agencies to implement external security testing protocols, including establishing vulnerability disclosure policies for public-facing services and identifying systems to place under bug bounty programs.

A report out this week from the Republican staff of the House Energy and Commerce Committee suggests that lawmakers may be taking a look at developing legal protections around security research and coordinated vulnerability disclosure to protect white-hat hackers from legal action by private firms miffed at having their flaws exposed to industry and the public.

Even as officials give the program rave reviews, the IT in the Pentagon's weapons systems remain riddled with exploitable vulnerabilities. A report released this month by the Government Accountability Office found that testers over the past six years identified numerous, fundamental security flaws inherent in DOD weapons systems. In many cases, they "routinely" identified flaws that allowed them to take control of such systems in less than a day and auditors said it was likely DOD was only aware of "a fraction" of the bugs that exist.

Correction: This article was updated Oct. 26 to note that previous DOD bug bounty programs have tasked participants with finding vulnerabilities in sensitive systems.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.