The new contract adds a third vendor and allows agencies to tap pre-vetted hackers throughout a product’s life cycle.
Two years after its first crowdsourced bug bounty program, the Pentagon is upping its game by putting $34 million behind the next wave of Hack the Pentagon and adding a new vendor to the mix.
The Defense Digital Service—a team of innovative technologists from the private sector brought in to help the Defense Department modernize its IT—announced Wednesday the third iteration of Hack the Pentagon will go forward with three companies: HackerOne, Synack and Bugcrowd.
The previous bug bounty contracts were restricted first to public-facing websites and later more sensitive internal systems. The new contract will expand that work to the department’s custom sites and applications—the “tailored and bespoke products and systems for meeting defense mission needs,” according to a department release.
The pre-vetted group of hackers will be brought in from the early stages of development for new applications, as well, to allow a two-way flow of information between developers and hackers “throughout the development life-cycle of a system.”
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” Chris Lynch, director of the Defense Digital Service, said in a statement Wednesday. “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets.”
The Pentagon has been running bug bounty programs since 2016 with the first Hack the Pentagon, a low-cost and low-risk version of what many large private sector companies have had in place for years. The initial run discovered almost 140 vulnerabilities in five public-facing department websites at a cost of $150,000, half of which was paid out to participants as bounties.
“When something works tremendously well, you do more of it,” HackerOne CEO Marten Mickos said in a statement. “The DOD, assisted by DDS, has established the most progressive and effective vulnerability disclosure program of the modern era. Their program serves as a role model for other federal agencies and large corporations.”
For HackerOne, the Defense Department white hat routine is becoming old hat. The company was the sole vendor for the first Hack the Pentagon and has run similar programs for the Army, Air Force, Marine Corps and the Defense Travel System.
Synack is also a tried-and-true Hack the Pentagon partner. Synack’s past work at the Pentagon included more sensitive, internal systems in 2017. The crowdsourced team of 100 hackers/researchers found the first vulnerability within four hours. They ended up testing six sensitive systems over the course of 7,000 hours of testing combined.
The company also has been awarded contracts in the civilian space, including the IRS.
“Crowdsourced security is gaining traction in the market, and now considered a best practice by the U.S. government,” said Jay Kaplan, Synack co-founder and CEO. “In an industry that’s often seen as conservative and sluggish, we applaud the DOD for being bold leaders in adopting this innovation first.”
The third company to join the mix, Bugcrowd, is new to the Defense Department but has been running bug bounty programs since 2012 and bills itself as the “crowdsourced security market leader for Fortune 500 companies.”
Like Synack, Bugcrowd’s hackers will focus on the department’s internal systems.
“We are thrilled that Bugcrowd has been selected to ‘Hack the Pentagon’ to bring the scale and expertise of our worldwide elite crowd of white hat hackers to outsmart adversaries and strengthen our nation’s security,” Bugcrowd CEO Ashish Gupta said in a statement.