Pentagon Launches the Feds' First 'Bug Bounty' for Hackers

The DoD's "Hack the Pentagon" program could signal a new approach for defending the federal government's networks.
This image may contain Landscape Outdoors Nature Scenery Aerial View Road Urban Intersection and Building
Bruce Clark/Getty Images

Companies like Google and Facebook have long run "bug bounty" programs that pay cash rewards to independent hackers who dig up and disclose vulnerabilities in their code. Now, for the first time, those bounty-hunting hackers can finally get paid for hacking the feds, too.

On Wednesday the Department of Defense announced that it's launching a "Hack the Pentagon" pilot program to pay independent security researchers who disclose bugs in the Pentagon's public-facing websites, and to eventually roll out the initiative to the DoD's less public targets including its applications and even its networks. The DoD hasn't yet named which of its websites are part of the program or how much it plans to pay for bug reports. But the announcement nonetheless represents the first time the U.S. federal government has launched a bug bounty program. This is an acknowledgement that even an agency with the Pentagon's significant cybersecurity resources and expensive contractors doesn't have enough eyes to find all its hackable vulnerabilities.

"I am always challenging our people to think outside the five-sided box that is the Pentagon," Secretary of Defense Ashton Carter wrote in a statement. "Inviting responsible hackers to test our cybersecurity certainly meets that test."

Slicing off a few thousand dollars of its $600 billion budget to pay friendly hackers for their work may seem like a no-brainer for the world's largest spender on IT. But it represents a significant milestone, says Katie Moussouris, the chief policy officer for HackerOne, a security firm that organizes bug bounty programs on behalf of its clients. She argues that it shows the growing awareness that "you can't find all the bugs yourself," no matter the size of your budget. "Whether you’re a well-funded government like the U.S. or anyone else, you have to work with the hacker community," Moussouris says.

The federal government, despite its massive IT spending, has seen repeated breaches over the last several years, including the unprecedented, disastrous breach of the Office of Personnel Management and a hack of the Pentagon itself last year---possibly by Russian hackers---that resulted in the shutdown of the Pentagon's unclassified email system for weeks. The bug bounty program represents a new approach to shoring up the Pentagon's defenses, and reflects Defense Secretary Carter's focus on Silicon Valley as a source of innovation that can be adapted to the military.

The Pentagon's move could also presage bug bounty programs for other government agencies, Moussouris says, and even parts of the private sector that have been resistant to the idea. Bug bounties are already a norm for Silicon Valley tech firms, and have begun to roll out for unexpected companies like Tesla and United Airlines. But industries like healthcare and automakers have only begun to consider the counterintuitive idea of paying hackers for targeting their products; General Motors, for instance, launched a "vulnerability disclosure" program in January, but with no reward for participating researchers. That actually puts the Pentagon a step ahead of parts of the private sector.

"The significance of the government coming forward and saying this is an important initiative is going to send a ripple through not just other government agencies, but other industries," says Moussouris. "We’ve begun to see movement. But this is an accelerator."