The success of the Hack the Pentagon program has led to America’s Department of Defence (DoD) expanding how it treats vulnerability disclosures.
The DoD’s bug bounty program
From April 18th to May 12th, more than 250 hackers took part in the Department of Defence’s bug bounty program – the first of its kind. The program uncovered 138 vulnerabilities that the DoD stated to be “legitimate, unique and eligible for a bounty.”
The bug bounty program cost the American federal government around US$150,000.
Ash Carter, Secretary of Defence, supported the spend by saying, “It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than US$1 million.”
Five public facing websites were the main focus of the Hack the Pentagon program: defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil.
Further plans to expand the program
The DoD has now announced that, due to the success of the ‘Hack the Pentagon’ program, it plans to expand the bug bounty program and introduce further policies that will assist in boosting the security of the DoD.
The DoD stated, “Next we will expand bug bounty programs to other DoD Components, in particular the Services, by developing a sustainable DoD-wide contract vehicle. Lastly, we’ll include incentives in our acquisition policies and guidance so that contractors practice greater transparency and open their own systems for testing – especially DoD source code. With these efforts, we will capitalise on Hack the Pentagon’s success and continue to evolve the way we secure DoD networks, systems, and information.”
Written by Jordan Platt
