The Pentagon is Letting Hackers Loose on Its Travel Management System

The Defense Department kicked off a bug bounty program on Sunday to boost the security of the enterprise system used by millions of employees to organize travel plans.

Reina Staley, chief of staff and co-founder of the Defense Digital Service, told Nextgov the competition is focused on the Defense Travel System, the platform millions of Pentagon employees use to authorize, reserve and receive reimbursements for work-related travel. The system processes more than 25,000 transactions every day.

“The scale of users, volume of travel booked, and sensitive information it is responsible for maintaining makes DTS both a compelling asset for researchers and a priority for [the Defense Department] to harden its security,” Staley said. “The depth and breadth of skill, professionalism, and creativity that the white-hat hackers have employed during these challenges continues to amaze us each time. The value of crowdsourcing external talent has been clear in every challenge we've run to date.”

The contest, hosted by the cybersecurity platform HackerOne, marks the Pentagon’s fifth bug bounty program.

Bug bounty programs recruit ethical or white-hat hackers to find security holes within an organization’s computer networks. Vulnerabilities can range from low-risk flaws to major problems capable of corrupting the entire network or exposing sensitive information, and participants are usually awarded cash prizes based on the severity of the bugs they find.

The program, which will run through April 29, is open to citizens of the so-called “Five Eyes” countries—Australia, Canada, New Zealand, the United Kingdom and United States—which often work together on cybersecurity initiatives.

While hackers from NATO countries and Sweden were allowed to take part in previous bug bounties, Staley said the department made “an internal decision” to limit participation this time around. Still, “it is a goal of our program to continue expanding the participant scope for future bounties,” she added.

Since 2016, bug bounty programs at the Pentagon, Army and Air Force have uncovered more than 3,000 vulnerabilities in critical agency websites and IT systems. The contests not only help the agency shore up infrastructure against outside threats, but can also be a boon for hackers, with more than $300,000 in bounties awarded so far.

“The [Defense Department] has seen tremendous success to date working with hackers to secure our vital systems, and we’re looking forward to taking a page from their playbook,” said Jack Messer, project lead at Defense Manpower Data Center, which oversees DTS, in a statement. “We’re excited to be working with the global ethical hacker community, and the diverse perspectives they bring to the table, to continue to secure our critical systems.”