DoD selects HackerOne for third Hack the Pentagon crowdsourcing contract

SAN FRANCISCO. Department of Defense (DoD) officials awarded a third crowdsourced security contract to HackerOne in order to help strengthen sensitive DoD assets.

This latest award is in addition to HackerOne’s existing multi-year contract with the DoD to test public-facing assets. These new contracts are the latest extension of the Department’s ‘Hack the Pentagon’ crowdsourced security initiative — pioneered by the DoD’s Defense Digital Service () in partnership with HackerOne in 2016.

Since the launch of ‘Hack the Pentagon,’ the Department has found more than 5,000 valid security vulnerabilities through its disclosure policy on HackerOne, conducted six successful public-facing crowdsourced security exercises, also known as bug bounty challenges, and two live hacking events with HackerOne to improve the security of its sensitive assets.

The award, which is part of the Department’s expanding crowdsourced security program, will allow the DoD to run bug bounties on a broader range of assets such as hardware and physical systems. The DoD will also continue to build out bug bounty programs for public-facing websites, and pursue other crowdsourced digital defense tactics. The DoD awarded contracts to three private-sector security firms.

This latest contract comes on the heels of HackerOne being awarded a multi-year contract   with General Service Administration’s (GSA) Technology Transformation Service (TTS), the first civilian agency to run a public bug bounty program, announced in September 2018.

“When something works tremendously well, you do more of it,” said HackerOne CEO Marten Mickos. “The DoD, assisted by DDS, has established the most progressive and effective vulnerability disclosure program of the modern era. Their program serves as a role model for other federal agencies and large corporations. HackerOne, with the biggest and uniquely talented hacker community on the planet, is the only hacker-powered security vendor to be selected for all of DoD’s programs. We are proud to partner with the U.S. government to help keep citizens and critical infrastructure safe.”

The first valid vulnerability was reported during ‘Hack the Pentagon’ in 2016. Since then, more than 5,000 valid vulnerabilities have been reported in government systems through HackerOne. These bug bounty challenges and results include:

  • Hack the Pentagon bug bounty program launched in May 2016 and resulted in over 130 valid vulnerabilities resolved and tens of thousands of dollars paid to ethical hackers for their efforts.
  • Hack the Army launched in December 2016 and surfaced over 115 valid vulnerabilities resolved and paid $100,000 to ethical hackers.
  • Hack the Air Force launched in April 2017 and resulted in over 200 valid vulnerabilities resolved and more than $130,000 paid to ethical hackers.
  • Hack the Air Force 2.0 launched in December 2017 and resulted in over 100 valid vulnerabilities resolved and more than $100,000 paid to hackers.
  • Hack the Defense Travel System launched in April 2018 and focused on testing a DoD enterprise system and resulted in 100 security vulnerabilities reported and $80,000 paid to hackers.
  • Hack the Marine Corps launched in August 2018. Hackers reported nearly 150 unique valid vulnerabilities to the U.S. Marine Corps Cyberspace Command (MARFORCYBER) team and were awarded over $150,000 for their contributions.

“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” said Chris Lynch, Director of the Defense Digital Service. “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We’re excited to see the program continue to grow and deliver value across the Department.”

Hackers who become aware of vulnerabilities can disclose them to the DoD through its ongoing vulnerability disclosure program with HackerOne. The Defense Department launched its Vulnerability Disclosure Policy in 2016 as part of Hack the Pentagon to provide a legal avenue for security researchers to find and disclose vulnerabilities in any DoD public-facing systems.

Topics covered in this article