Because our adversaries are more creative than ever when they carry out malicious attacks, it’s never been more important to find innovative ways to identify vulnerabilities and strengthen security. The Department of Defense (DoD) spends billions of dollars every year on information security, but had never attempted to address security vulnerabilities using bug bounties, a crowd-sourced model used in the private sector to secure both public-facing and internal assets.
Ethical hacker Jack Cable presents to a group of Marines and fellow hackers at Hack the Marine Corps in Las Vegas. Photo courtesy of HackerOne.
The Defense Digital Service launched Hack the Pentagon in 2016, the federal government’s first bug bounty program. The Hack the Pentagon program has engaged hundreds of ethical hackers around the globe to lawfully discover and disclose vulnerabilities on DoD assets. The DoD’s first Vulnerability Disclosure Policy established a 24/7 pathway for security experts to safely disclose vulnerabilities on public-facing DoD websites and applications. DDS has ongoing contracts with security firms HackerOne, Synack, and Bugcrowd to facilitate assessments for DoD components and military services against their respective assets.
This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.
Ethical hackers work together to find and disclose security flaws in Air Force systems during the Hack the Air Force 2.0 bug bounty event in December 2017 in New York City. Photo courtesy of HackerOne.