New DDS bug bounty to include rapid response capability
The Defense Digital Service is launching a longer-lasting bug bounty for white-hat hackers that will also include a “rapid response” capability.
The organization, which is part of the Chief Digital and AI Office (CDAO), is partnering with Bugcrowd, a crowdsourced security platform, on the vulnerability disclosure effort.
The so-called Continuous Bounty, which kicked off this week, is scheduled to last at least a full year with an option for extension.
“We are beginning with public-facing DDS assets (dds.mil and all associated subdomains, hackthepentagon.mil, and code.mil) and will scale to CDAO assets and beyond,” according to a Department of Defense release about the initiative. “This effort also includes a ‘rapid response’ capability, where our industry partner can put researchers on the hunt for a specific, exploitable critical vulnerability across the entirety of DoD public-facing infrastructure in less than 72 hours. This will strengthen our cyber resiliency if we run into the next widespread/critical vulnerability.”
The Pentagon began its Hack the Pentagon initiative during the Obama administration. The bug bounty launched this week will be less limited in time horizon and scope than previous ones, the release suggested.
“We hope to set an example in DoD that running continuous bounties strengthens our assets and sets a precedent that continuous checks on vulnerabilities is achievable and scalable to support obtaining quality data,” DDS Director Jennifer Hay said in a statement.
Bounty submissions will be opened to the public as the initiative progresses through testing, according to the release.
“The DDS and Hack the Pentagon teams are at the forefront of defending our nation, embracing ongoing dialogue with diverse and cutting-edge talent to safeguard our vital assets. We are thrilled to be partnering with CDAO and revolutionizing approaches to continuous bug bounties and researcher engagement,” Kent Wilson, Bugcrowd’s vice president for public sector sales, said in a statement.
Since 2016, DDS has overseen more than 40 bug bounties with participation from about 1,400 “ethical hackers” who have collectively flagged more than 2,100 vulnerabilities for remediation, according to a press release issued in March.
As an example, for last year’s Hack the U.S. event, the Department of Defense paid out $75,000 in bounties to researchers who discovered nearly 350 bugs inside its networks.
Earlier this year, DDS set up a new website for its Hack the Pentagon program to help scale these types of efforts and attract new cyber talent.
“While advanced tools and automation can be helpful, we believe humans remain essential in defending against cybersecurity breaches. As we shift from an information to an intelligence age, the winning blow will be dealt by humans supported by intelligent machines,” Jinyoung Englund — then acting director of DDS who’s currently serving as the CDAO’s chief strategy officer for algorithmic warfare — wrote in an online post. “This is why we intentionally invite hackers to break into our systems and assets. By incorporating bug bounties into our overall cybersecurity strategy, we’re updating the cybersecurity playbook to assume breach and think like an adversary.”
Lawmakers are also pushing the Defense Department to expand its bug bounty efforts. The fiscal 2024 National Defense Authorization Act, which was passed by Congress this week, included a mandate for the Pentagon to set up a similar program to mitigate risks posed by artificial intelligence.
Additionally, the Pentagon has been looking for contractors to set up AI “bias bounty” programs.
