The Pentagon is exploring a new contract to run longer, continuous bug bounty contests on a “full range” of its networks, including private systems.
The Defense Department is looking to partner with a commercial bug bounty company “to conduct crowdsourced vulnerability discovery and disclosure (CVDD) services across the full range of networks, systems, and information, including web applications, software, source code, and software-embedded devices across the whole Department of Defense,” it proposes in a request for information issued earlier this month. “Assets could include closed networks, software-embedded devices, proprietary source code, or other private or internal systems not generally accessible via the public Internet.”
In recent years, the department, led by the Defense Digital Service, has hosted five bug bounty engagements with vendors Synack and HackerOne; both companies currently hold contracts with the Pentagon to host bug bounty programs across the department. HackerOne launched the most recent engagement in April in partnership with the Defense Travel System. Typically, those programs are limited to internet-connected, public-facing networks and last just a few weeks, rewarding vetted hackers with cash prizes for reporting qualifying security vulnerabilities.
This contract would allow for those traditional “time-boxed crowdsource efforts,” as the RFI calls them, that last two to four weeks. But on top of that, it would also allow for continuous bug bounties that could last “12 months or as decided by task order.”
Because the contract would allow hackers to peek around DOD’s more sensitive — and in some cases private — networks, it requires that work be done at a secured and controlled facility with secret clearance. The portal must log or provision IP addresses and capture data, such as keystrokes, of users. It must also be “capable of full packet capture to enable auditability and continuous monitoring of researcher activities.”
The program manager with the partnering service must also hold a secret clearance. In some cases, though, work may be done at DOD facilities.
Interested vendors have until May 25 to send DOD a capability statement.