Pentagon awards contracts to unleash more white-hat hackers on DOD's 'high-value assets'

By Justin Doubleday / October 24, 2018 at 1:56 PM

The Pentagon today announced the expansion of its crowdsourced, vulnerability disclosure program, "Hack the Pentagon," to begin testing more of the Defense Department's sensitive, internal systems.

DOD awarded a new contract to crowdsourced security firms Bugcrowd, HackerOne and Synack, respectively, to “expand the program scope and capacity for bounties targeting private DOD assets which include the tailored and bespoke products and systems for meeting defense mission needs,” according to a Pentagon statement.

"New features of the enhanced program will enable DOD components to run continuous, year-long assessments of high-value assets," DOD states. "Through this model, DOD can maintain an open dialogue with vetted hacker participants throughout the development life cycle of a system, which is particularly valuable as software and other assets are regularly updated. The expanded program will also allow the DOD to run assessments on a broader range of assets such as hardware and physical systems."

The statement did not name any specific programs or systems. The Pentagon said the contract would allow "vetted hackers to simulate real and insider threats to certain systems, bringing in valuable new security perspectives to emulate combat adversaries and mitigate risk."

The announcement comes after the Government Accountability Office recently revealed an "entire generation" of DOD's recent weapon systems has been developed without adequately considering cyber risks.

The Defense Digital Service runs the Hack the Pentagon program. Launched in 2016 as the federal government's first bug bounty program, the project has paid "ethical hackers" cash to discover and disclose bugs, enabling DOD to identify and remedy "thousands of security vulnerabilities," according to the statement.

In addition to the now expanded contract vehicle for DOD's internal systems, DDS also runs a bug-bounty contract to find vulnerabilities in the department's public-facing websites.

199784

About the Insider

The INSIDER is a daily news digest from Inside Defense. Every business day, the INSIDER delivers news and notes on the Defense Department, Congress and the defense industry. And every day, we send you highlights via email.

Depending on the terms of your subscription to Inside Defense, you will have easy access to the linked articles and documents.

If you have any questions about the INSIDER, please contact our Customer Service Department at 1-800-424-9068 or insidedefense@iwpnews.com.