DOD Wants You to Hack the Pentagon Again and Again


The department is prepping a contract vehicle for bug bounty programs.

The Defense Department plans to make Hack the Pentagon-style bug bounty challenges available in a new contract vehicle.

The department contracted HackerOne and Synack to create a contract vehicle that allows DOD components and services to launch such competitions to discover and remediate website vulnerabilities.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Though tech companies have long used bug-bounty programs to root out security issues, the Pentagon and the Defense Digital Service experimented with it for the first time in the spring. The numbers of Hack the Pentagon are impressive: 1,400 vetted hackers tested five websites, 138 unique vulnerabilities were found and fixed, and it cost $150,000 with about half going to pay the participants. The department said hiring a contractor for similar efforts would have cost about $1 million.

"We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks," Secretary Ash Carter said when he announced the results. "What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference—hackers who want to help keep our people and nation safer."

The department aims to “normalize the crowd-sourced approach to digital defenses” with the contract and be an example for other parts of the federal government. DDS will consult with DOD components or other agencies that want to launch their own programs, the announcement said.