"We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer."
The US Department of Defense’s Defense Digital Service (DDS) team pioneered the Hack the Pentagon bug bounty pilot program with strong support from Secretary of Defense Ash Carter. The pilot ran from April 18, 2016 until May 12, 2016 and exceeded all expectations.
Hack the Pentagon was the first bug bounty program in the history of the federal government. The Department of Defense selected HackerOne as its partner to advise, operate, and execute Hack the Pentagon.
On March 31, 2016, interested participants began registration to compete in the "Hack the Pentagon” pilot challenge.
The pilot program was designed to identify and resolve security vulnerabilities within Defense Department public facing websites through crowdsourcing security.
Time to first vulnerability after program officially launched.
Were submitted immediately after launch.
Registered to participated in the program.
For all legitimate vulnerability reports.
On October 20, 2016 DoD announced a new contract with HackerOne to expand these programs to other departments over three years. Hack the Army, the most ambitious government bug bounty program to date was the first of these initiatives driven by Secretary of the Army Eric Fanning.
Shortly after Hack the Army announcement, the U.S. Department of Defense introduced the DoD’s Vulnerability Disclosure Policy (VDP) on HackerOne — outlining a legal avenue for any hacker to disclose vulnerabilities in any DoD public-facing systems. This policy is a first of its kind for the U.S. Government.
"The Vulnerability Disclosure Policy is a 'see something, say something' policy for the digital domain,"
With DoD’s new Vulnerability Disclosure Policy, hackers have clear guidance on how to legally test for and disclose vulnerabilities in DoD’s websites that may be out of the scope of live bug bounty challenges.
"What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation's security, but lack a legal avenue to do so"
These bold initiatives are driven by DoD’s Defense Digital Services (DDS) with strong support from Secretary Carter and underscores their commitment to working with the hacker community to improve security.
The Defense Department is investing aggressively in innovation, including in people, practices and technologies, Carter said. The “Hack the Pentagon” program combined all those elements to "considerable success".
Trailblazing paths to make society safer is a vital role our governments need to take, especially as caretakers of the private data about many of the world’s citizens. The DoD as taken the opportunity to be the leaders in working with the security researcher community. Hack the Pentagon was the model for others to follow, and we believe many more will.
"When it comes to information and technology, the defense establishment usually relies on closed systems. But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters."
Do you represent a government agency that is considering a bug bounty program? Email us to learn more and to get your program going.