US Defense Department Launches Twin Bug Bounty Programs

US Defense Department Launches Twin Bug Bounty Programs

The US Department of Defense has put $7 million into a fresh bug bounty effort.

The DoD has awarded a contract to bug-bounty platforms HackerOne and Synack to create a two-pronged program. The Crowdsourced Security Initiative will be a full-scale launch following the successful Hack the Pentagon pilot program earlier this year. The effort will expand to include bounties for flaws in public facing properties, which will continue to be managed by HackerOne; and for those found in mission-critical and sensitive IT assets, which is the larger of the two and will be run by Synack.

Hack the Pentagon was the first bug bounty program for the federal government, launched last spring. It allowed more than 1,400 registered hackers to test the defenses of select DoD websites. As a result of the pilot, 138 unique and previously undisclosed vulnerabilities were identified by security researchers and remediated in near real-time by the Defense Media Activity.

“As adversaries become more sophisticated and the threat environment continues to evolve, maintaining the highest levels of security has never been more important,” said Mark Wright, a spokesperson at Office of the Secretary of Defense. “By partnering with these leading crowdsourced security companies, we can take a much more innovative, diverse, scalable and effective approach to better protect and defend our digital assets.”

The contracts are expected to cover up to 14 challenges and reward hundreds of security researchers.

"No government or organization is so powerful that it does not need outside help identifying security issues. Working with the external hacker community will supplement the crucial cybersecurity work that DoD is doing internally,” said Marten Mickos, CEO, HackerOne. “Securing our online society is paramount and this puts the U.S. federal government in the forefront.”

Photo © Frontpage

Source: Information Security Magazine