July 2017 Report to Congress
Hack the Pentagon
Department of Defense (DoD)
The DoD spends billions of dollars every year on information security but had not sought to find security vulnerabilities through bug bounties, a security approach that has gained significant traction in the private sector. Bug bounties are a private sector crowd-sourced security model used to identify vulnerabilities in both public-facing and internal assets. Bug bounties also allow private citizens to harness their diverse range of talent to contribute and strengthen our nation’s security posture in exchange for monetary reward for finding security issues.
DDS partnered with the DoD to launched the first federal bug bounty, Hack the Pentagon, in Spring 2016. The success of Hack the Pentagon resulted in two follow-on activities: first, the DoD established its first Vulnerability Disclosure Policy, which created a safe, secure, and legal avenue for private citizens worldwide to report vulnerabilities found on public facing DoD websites and applications. It also serves as a bridge between the DoD and security researcher community to work openly and in good faith together to identify and disclose vulnerabilities.
Second, the DoD issued a multiple-award Indefinite Delivery, Indefinite Quantity (IDIQ) contract vehicle to Silicon Valley security firms that enable all DoD components and military services to launch their own bug bounty challenges against their respective assets. Establishing this contract vehicle is part of a broader effort to normalize and foster the adoption of this crowd-sourced approach to security across DoD. The contract vehicle also serves as a model for other federal agencies to follow and implement as well. The first contract with HackerOne focuses on public-facing DoD websites such as military recruiting services. The second contract with Synack is reserved for more sensitive, internal DoD assets and registration for these challenges is limited to highly vetted researchers within the Synack hacker community.
The first challenge with Synack launched on January 11, 2017, against an internal DoD file transfer mechanism that is responsible for the transport of data between various sensitive networks. Eighty carefully vetted researchers within the Synack community logged more than 2,500 hours to uncover a number of extremely critical issues that are undergoing remediation.
The Department of the Army and the Department of the Air Force have launched their own challenges, “Hack the Army” and “Hack the Air Force,” under the HackerOne contract. “Hack the Army,” which ran from November 30, 2016, to December 21, 2016, targeted Army recruiting websites and yielded vulnerabilities that, if exploited in tandem, could have led to a serious network or data breach. 371 registered researchers reported a total of 118 vulnerabilities previously unknown to the DoD. The “Hack the Air Force” challenge commenced on May 30, 2017, and will conclude by June 23, 2017 and vulnerabilities are undergoing remediation.
This project was previously chronicled in our 2016 Report to Congress.