Defense

DOD extends and expands bug bounty program

virus bug in program code By pixeldreams.eu Royalty-free stock illustration ID: 85711637 

The Department of Defense and the Digital Defense Services have awarded another set of contracts under their "Hack the Pentagon" bug bounty program to security firms HackerOne, Synack and Bugcrowd.

The awards to the three vendors were made on the Crowdsourced Vulnerability Discovery and Disclosure contract vehicle, which has a ceiling value of $34 million

DOD made the first awards on its bug bounty program in 2016. The new awards will broaden the focus to "high-value" DOD assets, according to a Pentagon news release. Previous bug bounties have focused on DOD's public facing websites as well as sensitive systems. The program provides an avenue for independent security researchers to safely probe DOD websites, systems and networks for software vulnerabilities without running afoul of the law. Researchers who discover flaws that are verified by DOD are often eligible for monetary compensation.

DOD has been one of the most aggressive federal agencies on bug bounty programs, including efforts focused on finding vulnerabilities at the Pentagon, the Army, the Air Force, the U.S. Marine Corps and DOD's enterprise travel system. The programs have identified thousands of vulnerabilities present in military software and doled out hundreds of thousands of dollars to researchers along the way.

"When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative," said Chris Lynch, director of the Defense Digital Service. "Expanding our crowdsourced security work allows up to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets."

The program's success has led to other agencies, like the General Services Administration, to implement similar programs, while Congress has moved to compel the Department of Homeland Security and others to do the same.

The Trump administration's IT modernization plan pressed federal agencies to implement external security testing protocols, including establishing vulnerability disclosure policies for public-facing services and identifying systems to place under bug bounty programs.

A report out this week from the Republican staff of the House Energy and Commerce Committee suggests that lawmakers may be taking a look at developing legal protections around security research and coordinated vulnerability disclosure to protect white-hat hackers from legal action by private firms miffed at having their flaws exposed to industry and the public.

Even as officials give the program rave reviews, the IT in the Pentagon's weapons systems remain riddled with exploitable vulnerabilities. A report released this month by the Government Accountability Office found that testers over the past six years identified numerous, fundamental security flaws inherent in DOD weapons systems. In many cases, they "routinely" identified flaws that allowed them to take control of such systems in less than a day and auditors said it was likely DOD was only aware of "a fraction" of the bugs that exist.

Correction: This article was updated Oct. 26 to note that previous DOD bug bounty programs have tasked participants with finding vulnerabilities in sensitive systems.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.