The Defense Department announced Thursday that it will be entrenching the federal government's first ever bug bounty program. DoD's announcement on Thursday takes this further with a contract award to HackerOne and Synack to "create a new contract vehicle" for DoD components and service branches to launch their own bug bounty challenges aimed at incentivizing the discovery of vulnerabilities on networks.
Bug bounties are standard in private industry and many have expressed the need to adopt them in government. However, government, and to some degree, military culture, can stifle this, according to some. With no incentives to disclose discovered vulnerabilities, and in some cases, discovery leading to misinterpretation not as valuable or friendly information but threatening, this "promotes a 'do-nothing' culture," two Army captains wrote in an article in the Cyber Defense Review.
Hack the Pentagon, as it was known, brought in members from the outside to find vulnerabilities on DoD computer systems for potential monetary compensation based upon the types and how many vulnerabilities they found.
The Hack the Pentagon initiative was led by the Defense Digital Service team, another technology initiative stood up by Secretary of Defense Ash Carter to bring in outside talent and replicate the tech culture of Silicon Valley firms to solve challenging problems for the department. Hack the Pentagon brought in over 1,400 registered and vetted hackers to find vulnerabilities on DoD unclassified systems, discovering 138 unique and previously undisclosed vulnerabilities in need of patching.
"This contract vehicle for a crowd-sourced security solution can also serve as a road map for other departments and agencies across the federal government to adopt and implement as well," a release from DoD said.
Secretary Carter has worked hard to bring outside talent from the bastions of technology and innovation around the nation.
DDS, stood up last November, "brings coders in for what we call a tour of duty," Carter has described. "They come in, you know they're not going to make a career of it, they're not going to join, they're not going to be part of the government, but they come in for a year or a two, or a project, and make a contribution to us."
Chris Lynch, who heads DDS, said the program was spun out of U.S. Digital Service, the White House team that was brought in from the private sector to bring in best practices and fix some of the biggest technology problems facing government.
"I like to say that we're a very mission-focused organization," he said of DDS in June at the Defense One Technology Summit. "We function a little bit more like a SWAT team … we go into things where there's a challenge and work to help out in whatever way we can. So we've got some special super powers just because of how we're positioned within the Department of Defense and we try to use our knowledge about how to build products and ship products to turn around challenge or very strategic projects that are going on."
Carter has also pushed the Defense Innovation Unit-Experimental office, which originated with one office in Silicon Valley in 2015 to serve as a DoD outpost for outreach from the Pentagon to tech firms. Since it was first announced, there are now two additional offices in Boston and Austin with 12 contracts awarded totaling $36.3 million in the last fiscal year.
DoD said DDS will work with various components within the department and external government agencies in a consultative role as to advise the execution of future bug bounty programs.