Pentagon Paying More to Be Hacked
The Pentagon requested $6.7 billion for cyber capabilities and operations for fiscal year 2017. Analysts expect such spending to continue rising in the coming years.
The Defense Department recently awarded contracts with a total value of $7 million to two crowd-sourcing firms — HackerOne and Synack Inc. — to expand a “bug bounty” pilot program known as “Hack the Pentagon,” which was launched in April and ended in May.
Bug bounty initiatives provide monetary prizes to vetted friendly hackers who find cyber vulnerabilities that can then be remedied before hostile actors can exploit them.
Secretary of Defense Ashton Carter wants the services and other defense agencies to adopt this approach and pay outsiders to probe their systems. These latest contracts are expected to help fund at least 14 different hacking competitions known as “challenges.”
The ultimate objective is to “normalize the crowd-sourced approach to digital defenses,” the Pentagon said in a recent press release.
The expansion of the bug bounty program is “fantastic news for eligible hackers who will have an opportunity to hunt bugs and earn hundreds of thousands of dollars in bounties,” HackerOne CEO Marten Mickos said in a company press release.
“HackerOne is by far the largest bounty-driven marketplace for white-hat hackers, and Synack has developed a powerful proprietary model for … vetted crowd-sourced vulnerability testing,” he added. “Both companies harness the power, diversity and creativity of the outside hacker community to the benefit of the security teams on the inside.”
HackerOne will create a new contract vehicle for hackers to help the Defense Department secure its publicly accessible systems, while Synack will focus on securing more sensitive IT assets.
The original pilot program cost $150,000, about half of which was paid to hackers who discovered vulnerabilities. During the trial period, 138 previously undisclosed vulnerabilities were identified and remedied. More than 1,400 registered hackers participated, according to the Defense Department.
“Considering the tremendous cost-benefit of outsourcing talent, it’s proven that you’ll get more bang for your buck than with some other traditional security tools we’ve used in the past,” Lisa Wiswell, a member of the Pentagon’s Defense Digital Service, said in a news release.
Defense officials and other parties interested in the expanded bug bounty initiative were advised to email their contract inquiries to firstname.lastname@example.org.