The Defense Department awarded a contract to HackerOne and Synack to create a new contract vehicle for department components and services to launch their own cyber ‘bug bounty’ challenges, the department said Thursday.
The contract vehicle will allow DoD components to more easily launch their own challenges similar to the Hack the Pentagon program and aims to ultimately normalize a crowd-sources approach to digital defenses.
The department earlier this year hosted its first bug bounty program at the direction of Secretary of Defense Ashton Carter and through the Defense Digital Service (DDS). DDS contracted with HackerOne to enact the pilot program that allowed over 1,400 registered hackers to test the defenses of select DoD websites. Each reported security gap that qualified as a valid vulnerability was then rewarded with a corresponding bounty price (Defense Daily, June 17).
Following the earlier program’s success, finding 138 unique previously undisclosed vulnerabilities, Carter directed other department components and services to use the bug bounty concept.
Now , the Defense Department is preparing to launch a second, two-pronged program with HackerOne and Synack.
The new contract vehicle for crowd-sources security solutions can also serve as a road map for other departments and agencies across the federal government, DoD said.
“The DDS will work with DoD components and external government agencies in a consultative role to advise on the execution of future programs,” the department said in a statement.