By Samir Naqvi – Nov. 26, 2018
In October 2018, the U.S. Department of Defense (DoD) issued a press release announcing a major expansion to its “Hack the Pentagon” program. As part of this expansion, the DoD has awarded contracts to several Silicon Valley firms that will help the Pentagon increase its capacity to run and issue “bug bounties” to successful hackers.
“Hack the Pentagon” was initially established in 2016 to assist the DoD in identifying and resolving security vulnerabilities across a wide range of military and defense applications. In doing so, the DoD has followed the lead of many Fortune 500 companies and global conglomerates in crowdsourcing their security infrastructure. The rapid expansion of defense technology combined with limited governmental resources makes this public-private partnership an ideal way to ensure defense security in the most efficient manner.
Ethical hackers, sometimes referred to as “white hat” hackers, can earn valuable cash prizes for discovering and disclosing bugs to the DoD. This setup is cheaper than having hackers on staff, attracts individuals from a wide range of backgrounds and experience levels, and boosts public awareness of the DoD’s many high-tech programs and missions.
Public and Private Bug Bounties
“Hack the Pentagon” has two main parts. The public bug bounty, which has been in place since the program’s 2016 inception, asks users to find and report bugs on any or all of the DoD’s public-facing websites and applications. Over the last two years, this program has identified and allowed the DoD to correct more than 8,000 security vulnerabilities, any one of which could have put valuable government data at risk.
The private bug bounty performs the same function for the DoD’s internal systems and software programs. The contracts recently awarded to the three Silicon Valley firms (Bugcrowd, HackerOne, and Synack) aim to achieve these goals without compromising secure military data by making it available to members of the public. Because these three firms have significant “white hat” expertise and debugging specialization that’s just not available in other contexts, this partnership is perhaps the best way for the DoD to ensure the security of its applications as they are continually updated and refined.
Another advantage of this private partnership is the open dialogue the DoD plans to establish with Bugcrowd, HackerOne, and Synack. Unlike the public bug bounties, this private partnership will allow these companies to run continuous assessments of DoD assets, changing certain approaches as systems are updated and preventing previous patches or fixes from becoming obsolete.