The DoD spends billions of dollars every year on information security but had never addressed security vulnerabilities through bug bounties, a widely understood best practice in the private sector. Bug bounties are a crowd-sourced security model used to identify vulnerabilities in both public-facing and internal assets. Bug bounties also allow private citizens to offer their diverse range of talent to contribute and strengthen our nation’s security in exchange for a monetary reward for finding security issues.
The Defense Digital Service (DDS) partnered with the DoD to launch the first Federal bug bounty, Hack the Pentagon, in spring 2016. The success of Hack the Pentagon resulted in two follow-on activities. First, the DoD established its first Vulnerability Disclosure Policy, which created a safe, secure and legal avenue for private citizens worldwide to report vulnerabilities found on public-facing DoD websites and applications. It also serves as a bridge between the DoD and security researcher community to work openly and in good faith together to identify and disclose vulnerabilities.
Second, the DoD awarded two Indefinite Delivery, Indefinite Quantity (IDIQ) contracts to Silicon Valley security firms that enable all DoD components and military services to launch their own bug bounty challenges against their respective assets. The first contract with HackerOne focuses on public-facing DoD websites such as military recruiting services. The second contract with Synack is reserved for more sensitive internal DoD assets and registration for these challenges is limited to highly vetted researchers within the Synack hacker community.
Establishing these contract vehicles is part of a broader effort to normalize and spread the adoption of this crowd sourced approach to security across DoD. These contract vehicles also serve as a roadmap for others to follow and implement as well. The General Services Administration launched their first bug bounty in May 2017.
The Department of Defense continues to run both public and private bug bounties against assets critical to internal and global operations. To date, more than 2,000 security researchers have submitted more than 400 unique vulnerabilities to DoD public-facing websites and internal systems. Hack the Air Force (which ran from May to June 2017) yielded one of the highest-earning contributors to date: a 17-year-old U.S.-based hacker who submitted 30 vulnerabilities in Air Force assets.
DoD’s landmark Vulnerability Disclosure Policy has also been successful at identifying critical vulnerabilities. The policy is a 24/7 legal pathway for security researchers around the globe to submit vulnerabilities on all DoD public-facing websites and applications. Since its inception in November 2016, the platform has received nearly 3,000 vulnerability reports from more than 600 security researchers around the world. Of these 3,000 reports, more than 100 were deemed high or critical vulnerabilities that included remote code executions and ways to bypass authentication on DoD sites. The Department of Justice has released official guidance for other Federal agencies who want to implement this policy as the technique of crowdsourced security continues to gain traction across the U.S. Government.
Bug bounties held to date
Vulnerabilities reported to DoD
Global security researchers who have contributed
This project was previously chronicled in our July 2017 Report to Congress.