Pentagon Launches First-of-Its-Kind Bug Bounty Program

Secretary of Defense Ash Carter arrives at the 2016 RSA Conference in San Francisco, March 2, 2016.

DoD photo by Navy Petty Officer 1st Class Tim D. Godbee

AA Font size + Print

Secretary of Defense Ash Carter arrives at the 2016 RSA Conference in San Francisco, March 2, 2016.

The idea is to find and fix vulnerabilities before the bad guys do. Certain restrictions apply.

Challenged by hackers and staffing shortages, the Pentagon is inviting plainclothes techies to a competition where they can poke around military code for security bugs. The idea is to find and fix vulnerabilities unknowingly inserted in software before the bad guys do. 

The contest draws inspiration from “bug bounty” programs in the private sector open to hobbyists and professional penetration testers. Microsoft, for instance, offers a reward of up to $100,000 for attacking its software. General Motors earlier this year launched a car-hacking program that seeks glitch reports but doesn’t yet pay for them. 

The military’s new “Hack the Pentagon” program, unveiled Wednesday, potentially could offer cash prizes, according to a Defense Department announcement. Perhaps some of those bucks could come from the nearly $7 billion Pentagon Secretary Ash Carter expects to spend on cybersecurity in 2017. 

Only citizens willing to undergo a background check will be allowed to scour Pentagon computer programs for security vulnerabilities, according to Defense. Participants will not be angling for bugs in the F-35, but rather scrutinizing weaknesses in Defense webpages. The venture marks the first U.S. government foray into bug hacking, the department says. 

The “controlled, limited duration” trial will provide screened-hackers access to a pre-selected system, according to the Pentagon. No national security applications or other critical, “mission-facing” systems will be tested. 

Read more: Pentagon Googles ‘Innovation,’ Taps Eric Schmidt
Related: We’re On the Same Side, Carter Tells Silicon Valley

It is unclear what the screening process will entail or whether participation will be contingent on drug testing. Defense officials said details on eligibility rules will be out in coming weeks.

Background Checks Required

Background check requirements have stopped some cyber professionals from applying for government jobs, including FBI positions, Justice Department Inspector General Michael Horowitz wrote in a Nov. 10, 2015 memo to the attorney general on the bureau’s management challenges. FBI employees are barred from having used marijuana in the last three years or any other illegal drug in the past 10 years.

After Colorado and Washington State legalized recreational marijuana, James Clapper, director of national intelligence, sent a memorandum in October 2014 reminding agencies they “continue to be prohibited from granting or renewing a security clearance to an unlawful user of a controlled substance, which includes marijuana.”

HackerOne, a San Francisco-based firm that coordinates bug bounties for 500 organizations, said drug-use restrictions shouldn’t have a significant effect on the outcome of the Pentagon’s endeavor.

Many of its clients have other types of eligibility regulations, such as bans on contestants from Syria and Iran, or limiting competition to a certain skill set like mobile security. 

As an experiment, it makes an incredible amount of sense to start with a constrained environment that you have a lot more confidence in,” said Alex Rice, a HackerOne co-founder who launched a bounty program at Facebook.  

But ”no question,” the military will be excluding some top-notch players from helping secure Defense systems because of the marijuana prohibitions. 

The cultural disconnect between some creatives in the private sector and the military extends far beyond drug use, according to the Pentagon chief himself. 

“I am always challenging our people to think outside the five-sided box that is the Pentagon,” Carter said in a statement.  “Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.” 

Channeling Silicon Valley

Hack the Pentagon” is one product of the Defense Digital Service, an office stood up last November that assigns 2-year IT gigs to Silicon Valley coders and other individuals outside the defense industrial base. 

The Defense Digital Service will kick off the bug bounty program this April. The office is one arm of a governmentwide tech squad comprising teams of programmers and statisticians, called the U.S. Digital Service. 

While the military’s contest might be the first federal bug bounty program announced, other agencies have been mulling public bug-finding initiatives, including the departments of Homeland Security and Commerce

DHS officials are contemplating using a “micropurchasing authority” to compensate ethical hackers, according to FCW. The General Services Administration successfully cut through the red tape of federal hiring and contracting by using the funding instrument, which has a cap of $3,500, to compensate coders. 

We used it for code,” said Darryl Peek, a cybersecurity strategist in DHS’ Federal Network Resilience Division, of the micropurchasing authority. “Why can’t we use it for bounty?”

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • Military Readiness: Ensuring Readiness with Analytic Insight

    To determine military readiness, decision makers in defense organizations must develop an understanding of complex inter-relationships among readiness variables. For example, how will an anticipated change in a readiness input really impact readiness at the unit level and, equally important, how will it impact readiness outside of the unit? Learn how to form a more sophisticated and accurate understanding of readiness and make decisions in a timely and cost-effective manner.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.


When you download a report, your information may be shared with the underwriters of that document.