Pentagon expands bug bounty program with contracts to three private security firms

The Department of Defense announced Wednesday that it was awarding contracts to three private security firms in an expansion of its bug bounty program.

The department will now partner with Synack, HackerOne and Bugcrowd — all Silicon Valley crowdsourced companies — to add new features to the “Hack the Pentagon” program. The department began the program two years ago, inviting security researchers and ethical hackers to examine the Pentagon’s networks and identify cyber vulnerabilities.

The new partnerships mean the department will be able to run year-long and continuous testing of top assets, as well as “enable vetted hackers to simulate real and insider threats to certain systems,” according to a department release.

{mosads}”Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” said Chris Lynch, the director of the Defense Digital Service. “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets.”

Bug bounty programs for federal agencies have grown more popular since the Pentagon launched its version two years ago. Lawmakers who were initially wary of allowing the outside researchers, often known as “white hat” hackers, into federal networks are now more open to the concept.

The Senate passed a bill earlier this year to establish a similar bug bounty program at the Department of Homeland Security (DHS). The House Homeland Security Committee advanced the bill out of committee last month, but it has not yet been brought up for a vote.

The House also passed legislation last month directing DHS create a vulnerability disclosure policy, and it has been referred to a Senate committee.