Pulse

By GCN Staff

Blog archive
DOD launches full-scale bug bounty program

DOD to launch full-scale bug bounty program

After a successful bug bounty pilot program earlier this year, the Department of Defense is expanding its use of bounty hunters to help identify security issues within its digital assets.

DIG IT AWARDS

Hacking the Pentagon for patriotism and profit

The Hack the Pentagon program was a finalist for GCN’s 2016 dig IT Awards because for its innovative use of private-sector talent and best practices to improve critical Defense Department systems. Read more.

On Oct. 20, DOD awarded two contracts for crowdsourced vulnerability discovery and disclosure programs: one to bug bounty platform provider HackerOne and another to cybersecurity company Synack. The department intends to launch challenges and find security researchers who can better detect cyber risks in DOD applications, websites and networks.

Building on DOD’s “Hack the Pentagon” pilot with HackerOne earlier this year, the partnership will allow DOD to run more bug bounty challenges to protect public-facing assets and domains. Hack the Pentagon, led by the Defense Digital Services, was the federal government’s first bug bounty program, and drew 1,410 vetted hackers submitting more than 1,000 vulnerability reports. 

By the end of the pilot, the DOD paid 138 bounties for confirmed vulnerabilities in the five sites tested, bringing the overall cost for the effort to  approximately $150,000. According to Pentagon officials, discovering the same security vulnerabilities through traditional methods could have cost $1 million.

The contract with Synack will leverage a private, managed bounty incentive model using only highly vetted researchers who will focus on the department’s sensitive IT assets.

“By partnering with these leading crowdsourced security companies, we can take a much more innovative, diverse, scalable and effective approach to better protect and defend our digital assets,” Office of the Secretary of Defense spokesman Mark Wright said.

The contracts combined are valued at $7 million and are expected to cover up to 14 challenges and reward hundreds of security researchers.

Posted by Amanda Ziadeh on Oct 21, 2016 at 1:24 PM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.