Pentagon expands bug bounty program to all publicly accessible systems

By Justin Doubleday / May 5, 2021 at 4:16 PM

The Defense Department is expanding its "bug bounty" program to all its publicly accessible information systems, allowing authorized hackers to investigate and report cyber vulnerabilities in industrial control systems, Internet of Things devices, and other networks.

The development marks a major expansion in the scope of DOD’s vulnerability disclosure program. The original program started with a “Hack the Pentagon” program in 2016 that allowed security researchers to probe public-facing DOD networks without fear of reprisal.

In a little less than five years, researchers have submitted more than 29,000 vulnerability reports, and more than 70% were determined to be valid, according to DOD.

The updated policy allows research and reporting of disclosures in all “publicly accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more,” according to Brett Goldstein, director of the Defense Digital Service.

"This expansion is a testament to transforming the government's approach to security and leapfrogging the current state of technology within DOD," Goldstein said as part of DOD’s May 4 announcement.

The disclosure program is overseen by DOD’s Cyber Crime Center. Last year, the center also announced plans to launch a pilot program allowing security researchers to investigate the networks of willing defense contractors.