Skip to main content

Hack the Pentagon

Hack the Pentagon is a bug bounty program of the US Department of Defense on the HackerOne platform.

Hack the Pentagon is a bold security initiative by the US Department of Defense on the HackerOne platform. Over the next three years HackerOne and DoD will partner to bring crowdsourced security initiatives to other departments.

"We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer."

Ash Carter
Secretary of Defense

Innovative Pilot Launch

The US Department of Defense’s Defense Digital Service (DDS) team pioneered the Hack the Pentagon bug bounty pilot program with strong support from Secretary of Defense Ash Carter. The pilot ran from April 18, 2016 until May 12, 2016 and exceeded all expectations.

Hack the Pentagon was the first bug bounty program in the history of the federal government. The Department of Defense selected HackerOne as its partner to advise, operate, and execute Hack the Pentagon.

On March 31, 2016, interested participants began registration to compete in the "Hack the Pentagon” pilot challenge.

The pilot program was designed to identify and resolve security vulnerabilities within Defense Department public facing websites through crowdsourcing security.

Individual payouts ranged from $100 to $15,000

Results That Exceeded Expectations

13 minutes

Time to first vulnerability after program officially launched.

200 reports in 6 hours

Were submitted immediately after launch.

1410 hackers

Registered to participated in the program.

$75,000 bounties paid

For all legitimate vulnerability reports.

On April 18, 2016, Hack the Pentagon challenge opened for submissions. The first report arrived in 13 minutes from that launch. Just six hours later, that number grew to nearly 200. During the pilot program, a new report came in every 30 minutes on average. HackerOne provided triage services to assist the Department of Defense, allowing them only focus on the valid reports

More than 1,400 participants registered to take part in Hack the Pentagon. Of those, 250 eligible hackers submitted a vulnerability report. Out of all the submissions, 138 were found to be "legitimate, unique and eligible for a bounty," and resolved according to Defense Secretary Ash Carter. Those vulnerabilities earned $75,000 in total bounty rewards, paid promptly by HackerOne at the conclusion of the program.

Hack The Pentagon Is Just The Beginning

On October 20, 2016 DoD announced a new contract with HackerOne to expand these programs to other departments over three years. Hack the Army, the most ambitious government bug bounty program to date was the first of these initiatives driven by Secretary of the Army Eric Fanning.

Shortly after Hack the Army announcement, the U.S. Department of Defense introduced the DoD’s Vulnerability Disclosure Policy (VDP) on HackerOne — outlining a legal avenue for any hacker to disclose vulnerabilities in any DoD public-facing systems. This policy is a first of its kind for the U.S. Government.

"The Vulnerability Disclosure Policy is a 'see something, say something' policy for the digital domain,"

Secretary Carter

With DoD’s new Vulnerability Disclosure Policy, hackers have clear guidance on how to legally test for and disclose vulnerabilities in DoD’s websites that may be out of the scope of live bug bounty challenges.

"What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation's security, but lack a legal avenue to do so"

Eric Fanning
Secretary of the Army

Bold Moves and Big Investments

These bold initiatives are driven by DoD’s Defense Digital Services (DDS) with strong support from Secretary Carter and underscores their commitment to working with the hacker community to improve security.

The Defense Department is investing aggressively in innovation, including in people, practices and technologies, Carter said. The “Hack the Pentagon” program combined all those elements to "considerable success".

Trailblazing paths to make society safer is a vital role our governments need to take, especially as caretakers of the private data about many of the world’s citizens. The DoD as taken the opportunity to be the leaders in working with the security researcher community. Hack the Pentagon was the model for others to follow, and we believe many more will.

"When it comes to information and technology, the defense establishment usually relies on closed systems. But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters."

Ash Carter
Secretary of Defense

Want to learn more about HackerOne

DOD agencies, services or other interested parties can send contract inquiries to hackthepentagon@dds.mil

Contact us

Do you represent a government agency that is considering a bug bounty program? Email us to learn more and to get your program going.