DOD expands vulnerability disclosure program, giving hackers more approved targets

The expansion comes as the DOD eyes broader changes for its Vulnerability Disclosure Program.
Secretary of Defense Lloyd Austin. (Saul Loeb/AFP via Getty Images)

The Pentagon is letting outside hackers go after more Department of Defense targets than ever before, in an effort to find DOD’s vulnerabilities before foreign hackers do, DOD announced Wednesday.

The program, “Hack the Pentagon,” is expanding the number of DOD targets that ethical hackers can go after to try to ferret out vulnerabilities, according to the announcement. The program, which launched in 2016, previously allowed cybersecurity professionals to test DOD systems when it involved public-facing websites and applications. Now interested hackers may go after all publicly-accessible DOD information systems, including publicly-accessible networks, Internet of Things devices and industrial control systems, according to DOD.

“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DOD,” said Brett Goldstein, the director of the Defense Digital Service (DDS).

The DOD Cyber Crime Center, which oversees the program, said the expansion was always where the Pentagon intended to take the initiative.


“The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface,” Kristopher Johnson, the director of the center, said in a statement.

The bug bounty program was created in an effort to incentivize talented hackers with awards when they uncover and disclose security flaws that could leave the U.S. military vulnerable to foreign criminal or state-backed hacking campaigns.

And although military leaders have suggested in previous years that learning to trust outside experts testing DOD’s security posture has been a challenge, the expansion comes as DOD eyes broader changes for its Vulnerability Disclosure Program. Just last month the Pentagon began running a pilot VDP for the defense industrial base writ large, as part of recognition that — in addition to information systems — foreign hackers are keen on breaking into defense contractors in order to go after U.S. military targets.

The so-called DIB-VDP Pilot was jointly established by the center’s Defense Industrial Base Collaborative Information Sharing Environment, the DOD VDP and the Defense Counterintelligence and Security Agency, and is set to last for one year. So far it has received 383 reports since launch, according to HackerOne, a bug bounty platform.

Other DOD bug bounty programs are continuing in earnest, meanwhile. In January, the DDS announced its eleventh bug bounty program with HackerOne.


Hackers working on bug bounty programs have been having a blockbuster year, according to data collected by HackerOne: The number of hackers submitting vulnerabilities to HackerOne last year increased by 63% year-over-year. The value of bounties paid out last year also increased; over $44.8 million worth of bounties was awarded to hackers last year, a year-over-year increase of 86%, according to HackerOne.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts