Governance & Risk Management , IT Risk Management , Patch Management

'Hack the Pentagon' Program Expands

Vulnerability Disclosure Program Now Includes IoT Devices, Industrial Control Systems
'Hack the Pentagon' Program Expands
Photo: Department of Defense

The Department of Defense will expand its vulnerability disclosure program in the coming months, inviting ethical hackers to find flaws in a wider array of systems and applications within the Pentagon's public-facing networks.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The "Hack the Pentagon" program was launched in 2016 to encourage ethical hackers and security researchers to find flaws in public-facing Defense Department applications and websites. The program is overseen by the DOD Cyber Crime Center.

Now, the Pentagon is expanding the program to include all publicly accessible Defense Department systems, which includes IoT devices, industrial control systems, networks and frequency-based communication systems.

"The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," says Kristopher Johnson, director of the department's vulnerability disclosure program.

Disclosing Vulnerabilities

Before DOD launched the program, ethical hackers and security researchers did not have a uniform way of contacting the Pentagon and disclosing flaws in systems or applications.

"Because of this, many vulnerabilities went unreported," says Brett Goldstein, the director of the Pentagon's Defense Digital Service. "The DOD vulnerability policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."

The Defense Department estimates that more than 29,000 vulnerabilities have been reported since the vulnerability disclosure system began, with more than 70% of these flaws determined to be valid.

Johnson expects far more flaws to be uncovered now that the Defense Department is expanding the program to all its public networks and systems.

Over the years, the Pentagon has partnered with HackerOne, a private firm with a platform that enables researchers to submit information about vulnerabilities and then receive cash rewards for their disclosures.

The expansion of the Pentagon's vulnerability disclosure program is a good step toward hardening its infrastructure against attacks, says Chad Hoffman, a former DOD intelligence analyst.

"The expansion is imperative for the DOD to continue to leverage private industry to identify vulnerable systems that are critical to missions across the department," says Hoffman, who is now the COO of security firm Analyst1. "But if the program doesn't correlate the vulnerabilities to the threat actors who are known to exploit them, there will be a logjam of prioritization of what to tackle first."

Other Agencies' Programs

In September 2020, the Cybersecurity and Infrastructure Security Agency ordered most executive branch agencies and departments to create their own vulnerability disclosure programs (see: US Agencies Must Create Vulnerability Disclosure Policies).

CISA is working toward creating standards for all federal agencies while providing guidelines on how vulnerabilities should be disclosed and mitigated.

In April, the DOD Cyber Crime Center and the Defense Counterintelligence and Security Agency launched a 12-month Defense Industrial Base Vulnerability Disclosure Program for third-party firms and companies that are part of the Defense Industrial Base Sector and work with the Pentagon to supply technology and research.

Branches of the U.S. military have also run their own vulnerability disclosure programs.

Earlier this year, the Army launched its third "Hack the Army" program in conjunction with the Defense Digital Service and HackerOne.

A 2018 vulnerability disclosure program run by the Air Force uncovered 120 vulnerabilities and paid out $130,000 to the hackers who uncovered them.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.