The Department of Defense is looking for some good offense.
The original pilot program challenged hackers to find vulnerabilities with the Pentagon's public websites and a predetermined department system. Bug hunters have found more than 3,000 vulnerabilities at the department since then, with more than $330,000 paid out to ethical hackers.
The expanded scope now allows hackers to find vulnerabilities with hardware and physical systems within the Pentagon, in a partnership with bug bounty platforms HackerOne, Bugcrowd and Synack. This means that they'll be finding security flaws within more sensitive systems at the Pentagon, including those required for "defense mission needs," according to the department's press release.
"When our adversaries carry out malicious attacks, they don't hold back and aren't afraid to be creative," Chris Lynch, director of the Defense Digital Service, said in a statement. "Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets."
The contract for the three bug bounty companies has a ceiling of $34 million.
The growing bug bounty program comes at a critical moment for the Pentagon, as cybersecurity continues to be a major concern for the US amid strained international relations and efforts by countries like China, Russia and Iran to use cyberattacks for espionage and retaliation over sanctions. With all its military secrets, the Pentagon is a prime target for potential hackers.
This expanded program also comes just two weeks after the US Government Accountability Office revealed massive security vulnerabilities in US weapons systems, many of which showed glaring shortcomings with passwords and servers.
In one case, a tester was able to guess an administrator's password in nine seconds. Several weapons systems also used software without ever changing the default password, allowing testers to look up the passwords online.
These tests ran from 2012 to 2017, and in some cases, Defense Department operators were unable to effectively respond to the hacks, the report said. "DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development," according to the report.
While the Defense Department said it's fixed thousands of vulnerabilities discovered by bug bounty hunters, it's not a similar scenario for security issues found internally.
The report noted that the department only fixed one out of 20 vulnerabilities identified in a previous test.
At the time, the Defense Department dismissed the GAO's report as "unrealistic," pointing out that the testers had access that outside hackers wouldn't.
But with the bug bounty program's expanded scope, the ethical hackers participating won't have that luxury.
"As a general observation we can note that DoD has such a large set of digital assets that it is possible and perhaps even likely that what GAO tested was something that had not been in scope for the bug bounty or vulnerability disclosure programs," Mårten Mickos, HackerOne's CEO, said in a statement.
: It was in the name of cybersecurity.
: Here's what you need to know.