The Department of Defense plans to expand its signature bug bounty program, awarding three new contracts Wednesday to bolster the Hack the Pentagon initiative.
Hack the Pentagon, which began in 2016, crowdsources cybersecurity expertise from whitehat hackers to find and address vulnerabilities in Defense Department networks for cash rewards.
DOD tapped cybersecurity firms Synack, HackerOne and Bugcrowd Wednesday to provide vetted hackers for continual assessments of defense websites, hardware and physical systems through a three-year, $34 million indefinite delivery, indefinite quantity contract package.
“As cyber threats persist, the Defense Department is working to identify innovative approaches to bolster security, combat malicious activities and build trusted private sector partnerships to counter threats,” DoD officials said in a statement. “Hack the Pentagon bug bounties are designed to identify and resolve security vulnerabilities across targeted DOD websites and assets and pay cash to highly vetted security researchers or ‘ethical hackers’ to discover and disclose bugs.”
Synack and HackerOne have provided bug bounty services to the DOD since the inception of the original Hack the Pentagon pilot in 2016. Since that time, the department has conducted a total of 11 bug bounty programs, including sessions examining the Army, Air Force, Defense Travel Service and, most recently, the Marine Corps in August.
According to the contract’s performance work statement, the awardees will be expected provide up to eight time-boxed challenges and five continuous challenges in the first year of the contract, followed by additional challenges if options are exercised. Task orders on the contracts could run from three to 12 months apiece and overlap.
Officials from San Francisco-based Bugcrowd said in a statement that the new contracts provide defense officials with the ability to “run continuous, year-long assessments of high-value assets,” and account for technology updates and reassessments of network vulnerabilities.
“Through this model, the DoD can maintain an open dialogue with vetted security researchers and whitehat hackers throughout the development lifecycle of a system – which is particularly valuable as software and other assets across targeted DoD websites and assets are regularly updated,” the statement said. “The DoD will continue separate efforts to build out bug bounties for public-facing websites and pursue other crowdsourced digital defense tactics.”
Chris Lynch, director of the Defense Digital Service, said in a statement that the Hack the Pentagon expansion will provide the DOD with more expertise to increase its security posture in the face of a more challenging cyber climate.
“When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative,” he said. “Expanding our crowdsourced security work allows up to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We’re excited to see the program continue to grow and deliver value across the department.”