The Defense Department has awarded a contract to HackerOne and Synack to create a new contract vehicle for DoD components and the services to launch their own ”bug bounty” challenges, similar to the “Hack the Pentagon” pilot program, with the ultimate objective to normalize the crowd-sourced approach to digital defenses, Pentagon officials announced today.
“We made sure this was openly and fairly competed, and that everyone was qualified, including nontraditional DoD firms who could bid,” said Lisa Wiswell, bureaucracy hacker with the Defense Digital Service team.
At Defense Secretary Ash Carter’s direction, DoD hosted the first bug bounty program in the federal government last spring and is prepared to launch a second, two-pronged effort in partnership with HackerOne and Synack, officials said. The contract with HackerOne will allow DoD to expand upon the successful Hack the Pentagon pilot in continuing to secure public facing assets, they added.
DoD is working with Synack in tandem to allow select groups of highly vetted researchers to identify further ways to strengthen the department’s more sensitive assets. Initiatives like bug bounties are designed to identify and resolve security vulnerabilities within DoD websites.
“These contract vehicles will create an easier and faster path for components and services to set up their own challenges,” Wiswell said. “Considering the tremendous cost-benefit of crowdsourcing talent, it’s proven that you’ll get more bang for your buck than with some of the other traditional security tools we’ve used in the past.”
Wiswell said another benefit of the program is allowing the chance for private citizens to improve the government that services them. “It’s an amazing way to not only source this unique expanse of talent, but also for these individuals to use their skills toward helping secure our nation’s assets,” she said.
Hack the Pentagon
The original Hack the Pentagon program was led by the Defense Digital Service, a team Carter created in November to bring in talent and best practices from the private sector to transform the way DoD approaches technology. DDS contracted with for the pilot effort, which allowed more than 1,400 registered hackers to test the defenses of select open source DoD websites such as Defense.gov. Hackers who identified security gaps that qualified as valid vulnerabilities were then rewarded with a corresponding bounty price.
As a result of this pilot, 138 unique and previously undisclosed vulnerabilities were identified by security researchers and remediated in near real-time by the Defense Media Activity.
Following the success of Hack the Pentagon, Carter recognized the value of the program and directed other DoD components and military services to adopt the crowd-sourced security concept.
“I’m directing all DoD components to review where bug bounties can be used by them as a valuable tool in their own security tool kit,” Carter said at the Hack the Pentagon ceremony in June. “We’re going to include incentives in our acquisition guidance and policies so that contractors who work on DoD systems can also take advantage of innovative approaches to cybersecurity testing.
“For example,” he continued, “in some circumstances, we will encourage contractors to make their technologies available for independent security reviews where bug bounties before they deliver them to us. This will help them make their code more secure from the start, and before it’s installed on our system.”
Carter said the program provides the researchers more than just an avenue for reporting vulnerabilities and gaps and a way to make networks more secure in the short term. “We’ve provided a road map for other government departments and agencies to crowd-source their own security,” he said.
Current, Future Projects
Wiswell said the Defense Digital Service is currently helping DoD’s transition from the Defense Travel System to a private-sector travel tool used by Fortune 500 companies.
“DTS is a great example of a system that needed fixing,” she said. “Every single DoD employee has to use DTS, and … from a user and technology perspective, it doesn’t work very well. “Our charge is to elevate existing software and software development processes across DoD up to private-sector standards.”
The Defense Digital Service is moving DTS from the existing DoD contractor-developed system to a commercial, cloud-based system. “We expect this to provide our military service members and civilian DoD employees with an improved travel experience, as well as save resources each year in unnecessary travel related costs,” Wiswell said.
She said DDS is working on many three- to six-month projects with the components and services to help with efficiencies. She also hopes that in the future, the DoD will put more rigor in developing software with security in mind and not just as an afterthought.
“It’s great to conduct these hacking activities against an operational system, but it’s also really important to look at the code and do some code analysis to make sure that it is secure too,” she said.
Wiswell said she encourages the components and services acquisition and contractors to use these new vehicles via HackerOne and Synack and reach out to DDS if they need assistance.
“The Hack the Pentagon pilot showed us that there are great benefits across the board, from leveraging a wider range of skill sets and the large cost-savings involved,” she said. “Hack the Pentagon was a big win for the department, and hopefully this contract vehicle will continue to accelerate progress across DoD and give longevity to this crowd-source model.”
DoD agencies, services or other interested parties can send contract inquiries to firstname.lastname@example.org.