The Department of Defense’s (DoD) Defense Digital Service (DDS) has announced that its Hack the Pentagon program has launched a continuous bug bounty program that will expand to the Chief Digital and Artificial Intelligence Office (CDAO) assets and beyond.
Traditionally, Hack the Pentagon’s bounties have identified time boxes and partners to help the agency discover cybersecurity weaknesses. However, the new first-of-its-kind continuous bounty program will reward security researchers’ discoveries outside of a short-term bounty period.
“We hope to set an example in DoD that running continuous bounties strengthens our assets and sets a precedent that continuous checks on vulnerabilities is achievable and scalable to support obtaining quality data,” Jennifer Hay, director of DDS at the CDAO, said in a press release.
This continuous bounty – which DoD launched on Dec. 12 – lasts one year and has the option to be extended. The agency said it will start with public-facing DDS assets (dds.mil and all associated subdomains, hackthepentagon.mil, and code.mil) and will then “scale to CDAO assets and beyond.”
The bounty also includes a “rapid response” capability, in which an industry partner can have researchers search for a specific, exploitable critical vulnerability across DoD public-facing infrastructure in less than 72 hours.
“We think the continuous and rapid response bounty program is a real game changer for scaling bug bounties out more efficiently and effectively for the department,” said Allen Vance, Hack the Pentagon portfolio lead.
The CDAO and DDS Hack the Pentagon team has partnered with Bugcrowd to run the continuous bounty with invited security researchers. As the program is tested, DoD said that bounty submissions will then be opened to the public.
“The DDS and Hack the Pentagon teams are at the forefront of defending our nation, embracing ongoing dialogue with diverse and cutting-edge talent to safeguard our vital assets. We are thrilled to be partnering with CDAO and revolutionizing approaches to continuous bug bounties and researcher engagement,” said Kent Wilson, VP of global public sector sales at Bugcrowd.
DoD is also looking at expanding Hack the Pentagon – launched in 2016 – into the classified arena. Earlier this month, Nicole Thompson, digital services expert for the DDS, said that DoD is looking to “bring the crowd to a classified environment and have them test that.”
“It’s never been done before, but it’s worth asking the question,” Thompson said.
