Defense Secretary Ash Carter announcing Hack the Pentagon results during a press conference
Great news today for U.S. citizens – the Department of Defense has announced plans to expand upon the successful Hack the Pentagon bug bounty pilot launched earlier this year. This is also fantastic news for eligible hackers who will have an opportunity to hunt bugs and earn hundreds of thousands of dollars in bounties!
The broadened program is a result of the successful Hack the Pentagon challenge that HackerOne ran in partnership with DoD’s Defense Digital Services earlier this year. DoD has selected the two leading companies in this space - HackerOne and Synack - for their ongoing Crowdsourced Vulnerability Discovery & Disclosure Services.
HackerOne is by far the largest bounty driven marketplace for whitehat hackers, and Synack has developed a powerful proprietary model for private vetted crowdsourced vulnerability testing. Both companies harness the power, diversity and creativity of the outside hacker community to the benefit of the security teams on the inside.
Securing our online society is paramount and this puts the U.S. federal government in the forefront of making our connected world more secure. We are all accustomed to seeing the leading technology companies embracing new methods quickly, and HackerOne is proud to count Uber, Twitter, New Relic, General Motors, Github, CloudFlare, Kaspersky Labs, Panasonic Avionics, Snapchat, Zenefits and others as our customers. Now, the U.S. Department of Defense is among that elite group.
Working with the external hacker community supplements the fantastic cybersecurity work that DoD is doing internally. Of the “Hack the Pentagon” bug bounty pilot, Secretary of Defense, Ash Carter stated, “By allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend more time fixing them than finding them. The (program) showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly.”
No organization or government is so powerful that it does not need outside help identifying security issues. Greg Touhill, U.S. Chief Information Security Office stated, “Frankly, if I had it my way, we would do a bug bounty across .gov and the program office in charge of the source code would reimburse the bug bounty pool once a bug is discovered.” Humans have the potential to solve our technology dilemmas, more technology is not always the solution.
If the leading cloud companies and the most powerful governmental organization in the world need bug bounty programs, it is a sign that soon the whole world will embrace this effective practice.
If you are eager to hack on these programs, check back with us in a number of weeks when the first challenge is ready to get going.