Pentagon is Planning Another Bug Bounty Contract

The Pentagon is considering offering a broad bug bounty contract that would accommodate a variety of different bounty models on either short-term or continuous timeframes, according to contracting documents released earlier this month.

The move comes after two years during which the Defense Department and military services have launched five high-profile bug bounties targeting the Pentagon, Air Force, Army and the department’s travel booking system.

Bug bounties are contests in which ethical hackers are offered cash rewards for finding hackable vulnerabilities in websites, apps and other software. So far, the Pentagon and military services have paid out more than $400,000 for valid bug reports.

The May 10 sources sought notice envisions contests with a limited number of hacker participants. The number will typically range from 50 to 100 but will sometimes grow as large as 200.

In some cases, the bounty contests will only last two to four weeks, according to the notice. In other cases, they’ll be ongoing and renewed annually.

Some of the projects will focus on systems that are not accessible on the public internet, the notice states. In those cases, researchers will access the systems either on the contractors’ networks or on DOD networks through a portal provided by the contractor.

The proposed contract would be separate from a contract with the companies Synack and HackerOne, which have facilitated previous Defense Department bug bounties. That contract is still active, a HackerOne official said. The contracts could run concurrently, the official said.

A sources sought notice alerts contractors that an opportunity is likely coming up and gives them a chance to express interest. It doesn’t obligate the government to offer a contract or to buy anything.

Responses are due by May 25.