The Defense Digital Service is charged with using private-sector talent and best practices to improve critical Defense Department systems — and hopefully modernize DOD’s IT mindset in the process. Hack the Pentagon, a bug-bounty program that was tested this past spring, did both.
DOD partnered with HackerOne, a San Francisco-based bug-bounty management startup. More than 1,400 hackers signed up, and the first bug was reported just 13 minutes after the program began. In all, 138 bounties were paid for confirmed vulnerabilities in the five sites that were tested. Individual bounties ranged from $100 to $15,000, depending on the severity of the bug discovered.
The cost of the pilot was approximately $150,000, and Pentagon officials estimated that a traditional security audit to discover those same holes would have cost $1 million. Arguably more important than the money, however, was the policy and planning work to make a government bug-bounty program feasible.
“We spent a tremendous amount of time with our legal team and all of the stakeholders across the departments to make sure that we defined our rules and restrictions down to a T,” said Lisa Wiswell, the Defense Digital Service’s digital security lead. “You have to make sure that you tell folks what they can do and, almost even more importantly, what they cannot do.”
DOD is now working on a permanent bug-bounty program and issued a request for proposals in August. Other agencies, meanwhile, are looking to the Defense Digital Service for advice on developing programs of their own