This article has been updated to reflect additional details regarding the nature of the contract.
In yet another contract allowing outside hackers to test systems for vulnerabilities, the Department of Defense is opening the doors to more sensitive systems.
Bug bounties, as they’re known, have focused on both public-facing DoD websites and internal systems. They allow vetted hackers to search for vulnerabilities for cash payouts that will later be fixed.
DoD is expanding the work on its more sensitive systems to more companies, with vulnerability disclosure company HackerOne "run[ning] bug bounties on a broader range of assets such as hardware and physical systems,” a release by the company said.
Declining to offer specifics on these systems, HackerOne CEO Marten Mickos told Fifth Domain that the contract will focus on DoD systems that are more critical and maybe more sensitive.
“We are stepping one step into more sensitive systems. We started from the very public ones, demonstrated amazing, amazing success there, so therefore [DoD is] saying let’s apply this same model and the same vendor to the more sensitive systems that we have,” he said.
Mickos added that this new contract, which is up to $34 million across three vendors (including Synack and Bugcrowd) is a natural expansion signaling all the successful steps taken from the initial Hack the Pentagon effort in 2016. Over the years that program has resulted in the identification of 5,000 security vulnerabilities that DoD has fixed.
The Defense Digital Service has been the shepherd internal to the department working to make the vulnerability disclosure program a reality.
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” said Chris Lynch, director of the Defense Digital Service.
“When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We’re excited to see the program continue to grow and deliver value across the department.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.