The Department of Defense (DoD) announced it is expanding its “Hack the Pentagon” program to include all publicly accessible DoD information systems.
The program – launched in 2016 and overseen by the DoD’s Cyber Crime Center – offers bug bounties to ethical hackers for discovering vulnerabilities in DoD systems.
The Pentagon said it launched the program because previously there was no way for hackers to report a vulnerability. “Because of this, many vulnerabilities went unreported,” Brett Goldstein, the director of the Defense Digital Service, said. “The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems.”
Initially, the hacking program was limited to public-facing websites and apps, but with the new expansion, hackers can now report vulnerabilities related to all DoD publicly accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more.
“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DOD,” said Goldstein.
“The department has always maintained the perspective that DoD websites were only the beginning as they account for a fraction of our overall attack surface,” Kristopher Johnson, director of the Cyber Crime Center director.
Since its launch, hackers have submitted more than 29,000 vulnerability reports, with more than 70 percent of them determined to be valid, DoD said in a press release. Johnson said he expects those numbers will “drastically increase” due to the program expansion as hackers discover new vulnerabilities that were previously unreportable.