'Hack the Pentagon' bug bounty expands to include critical systems

This comes two weeks after a federal report noted the Department of Defense has glaring cybersecurity problems.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Aerial view of a military building, The Pentagon, Washington DC, USA

The Pentagon is expanding its bug bounty program to include physical systems.


The Department of Defense is looking for some good offense.

The agency announced on Wednesday that it is expanding its "Hack the Pentagon" bug bounty program, which was first announced in 2016.

The original pilot program challenged hackers to find vulnerabilities with the Pentagon's public websites and a predetermined department system. Bug hunters have found more than 3,000 vulnerabilities at the department since then, with more than $330,000 paid out to ethical hackers.

The expanded scope now allows hackers to find vulnerabilities with hardware and physical systems within the Pentagon, in a partnership with bug bounty platforms HackerOne, Bugcrowd and Synack. This means that they'll be finding security flaws within more sensitive systems at the Pentagon, including those required for "defense mission needs," according to the department's press release.

"When our adversaries carry out malicious attacks, they don't hold back and aren't afraid to be creative," Chris Lynch, director of the Defense Digital Service, said in a statement. "Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets."

The contract for the three bug bounty companies has a ceiling of $34 million.

Watch this: Russian hackers targeting your router: Here's what to do

The growing bug bounty program comes at a critical moment for the Pentagon, as cybersecurity continues to be a major concern for the US amid strained international relations and efforts by countries like China, Russia and Iran to use cyberattacks for espionage and retaliation over sanctions. With all its military secrets, the Pentagon is a prime target for potential hackers.

This expanded program also comes just two weeks after the US Government Accountability Office revealed massive security vulnerabilities in US weapons systems, many of which showed glaring shortcomings with passwords and servers.

In one case, a tester was able to guess an administrator's password in nine seconds. Several weapons systems also used software without ever changing the default password, allowing testers to look up the passwords online.

These tests ran from 2012 to 2017, and in some cases, Defense Department operators were unable to effectively respond to the hacks, the report said. "DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development," according to the report.

While the Defense Department said it's fixed thousands of vulnerabilities discovered by bug bounty hunters, it's not a similar scenario for security issues found internally.

The report noted that the department only fixed one out of 20 vulnerabilities identified in a previous test.

At the time, the Defense Department dismissed the GAO's report as "unrealistic," pointing out that the testers had access that outside hackers wouldn't.

But with the bug bounty program's expanded scope, the ethical hackers participating won't have that luxury.

"As a general observation we can note that DoD has such a large set of digital assets that it is possible and perhaps even likely that what GAO tested was something that had not been in scope for the bug bounty or vulnerability disclosure programs," Mårten Mickos, HackerOne's CEO, said in a statement.

I got beaten up at Black Hat: It was in the name of cybersecurity.

Midterm elections, social media and hacking: Here's what you need to know.