DOD extends and expands bug bounty program

The Department of Defense and the Digital Defense Services have awarded another set of contracts under their "Hack the Pentagon" bug bounty program to security firms HackerOne, Synack and Bugcrowd.

The awards to the three vendors were made on the Crowdsourced Vulnerability Discovery and Disclosure contract vehicle, which has a ceiling value of $34 million. 

DOD made the first awards on its bug bounty program in 2016. The new awards will broaden the focus to "high-value" DOD assets, according to a Pentagon news release. Previous bug bounties have focused on DOD's public facing websites as well as sensitive systems. The program provides an avenue for independent security researchers to safely probe DOD websites, systems and networks for software vulnerabilities without running afoul of the law. Researchers who discover flaws that are verified by DOD are often eligible for monetary compensation.

DOD has been one of the most aggressive federal agencies on bug bounty programs, including efforts focused on finding vulnerabilities at the Pentagon, the Army, the Air Force, the U.S. Marine Corps and DOD's enterprise travel system. The programs have identified thousands of vulnerabilities present in military software and doled out hundreds of thousands of dollars to researchers along the way.

"When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative," said Chris Lynch, director of the Defense Digital Service. "Expanding our crowdsourced security work allows up to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets."

The program's success has led to other agencies, like the General Services Administration, to implement similar programs, while Congress has moved to compel the Department of Homeland Security and others to do the same.

The Trump administration's IT modernization plan pressed federal agencies to implement external security testing protocols, including establishing vulnerability disclosure policies for public-facing services and identifying systems to place under bug bounty programs.

A report out this week from the Republican staff of the House Energy and Commerce Committee suggests that lawmakers may be taking a look at developing legal protections around security research and coordinated vulnerability disclosure to protect white-hat hackers from legal action by private firms miffed at having their flaws exposed to industry and the public.

Even as officials give the program rave reviews, the IT in the Pentagon's weapons systems remain riddled with exploitable vulnerabilities. A report released this month by the Government Accountability Office found that testers over the past six years identified numerous, fundamental security flaws inherent in DOD weapons systems. In many cases, they "routinely" identified flaws that allowed them to take control of such systems in less than a day and auditors said it was likely DOD was only aware of "a fraction" of the bugs that exist.

Correction: This article was updated Oct. 26 to note that previous DOD bug bounty programs have tasked participants with finding vulnerabilities in sensitive systems.