The Department of Defense has awarded two contracts that will allow the Pentagon to expand its bug bounty program across a variety of its digital assets.
Contracts were awarded to San Francisco-based HackerOne and Redwood City, Calif.-based Synack, allowing crowdsourced security researchers to scour the DoD’s applications, websites and networks for vulnerabilities.
The contract awarded to HackerOne will allow DoD and HackerOne to run bug bounty challenges similar to the Hack the Pentagon program conducted earlier this year. The contract awarded to Synack is modeled after a private bounty program, focused on the DoD’s sensitive IT assets and utilizing only highly vetted researchers.
The combined contracts are valued at $7 million and are expected to cover up to 14 challenges.
“As adversaries become more sophisticated and the threat environment continues to evolve, maintaining the highest levels of security has never been more important,” said Mark Wright, a spokesman at the Office of the Secretary of Defense. “By partnering with these leading crowdsourced security companies, we can take a much more innovative, diverse, scalable and effective approach to better protect and defend our digital assets.”
Earlier this year, the Pentagon awarded $71,200 in bounties after people participating in the Hack the Pentagon program found 138 vulnerabilities. In that program, hackers were limited to searching for vulnerabilities on the Pentagon’s public-facing websites, and most commonly they found errors in cross-site scripting, information disclosure and cross-site request forgery, according to HackerOne.
“No government or organization is so powerful that it does not need outside help identifying security issues. Working with the external hacker community will supplement the crucial cybersecurity work that DoD is doing internally,” said HackerOne CEO Marten Mickos in a release. “Securing our online society is paramount and this puts the U.S. federal government in the forefront.”
“This award really marks a turning point in harnessing innovation to secure the nation’s most critical assets.” said Synack CEO Jay Kaplan. “As attacks become more sophisticated, the DoD is taking a much needed innovative approach to security by harnessing the world’s best security researchers.”
The idea of bug bounty programs are becoming increasingly en vogue across the federal government. The General Service Administration’s 18F office announced in May its building a bug bounty program for use by other federal agencies.
Earlier this month in his first comments as Federal Chief Information Security Officer, Greg Touhill said he hopes to create a massive bug bounty program across all .gov domains.