At RSA, Defense chief Carter unveils feds first ‘bug bounty’

The Pentagon announced the first ever "bug bounty" program run by a federal department Wednesday, saying it would allow vetted white-hat hackers to try attacking its public facing websites and promising cash rewards for any victors.

The Pentagon will pilot the first ever “bug bounty” program run by a federal government department, saying Wednesday it would allow vetted white-hat hackers to try attacking its public-facing websites and promising cash rewards for any who succeeded.

“I am always challenging our people to think outside the five-sided box that is the Pentagon,” Defense Secretary Ash Carter said in a statement.  “Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”

The “Hack the Pentagon” program is the brainchild of the new Defense Digital Service — the Defense Department arm of the White House’s U.S. Digital Service — launched by Carter last November.

The pilot program, to be launched next month, is modeled on similar contests run by large Internet and software companies, according to Pentagon Spokesman Peter Cook. It “marks the first in a series of programs designed to test and find vulnerabilities in the department’s applications, websites, and networks,” Cook added.



At the RSA Conference in San Francisco, Carter said Wednesday that the bounty mirrors the best practices of Silicon Valley companies, which often recruit white-hat hackers to find gaps in their security.

“You would rather find the vulnerabilities in that way than the other way,” Carter said, referring to the possibility of a data breach. “You can’t just keep doing what we are doing. The world changes too fast, our competitors change too fast.”

Unlike commercial bug bounty programs, which are open to all comers or organized by third party vendors like Bugcrowd, Inc., the Pentagon will require participants to undergo a background check before participating. Once vetted, the volunteers will join “a controlled, limited duration program that will allow them to identify vulnerabilities on a predetermined department system,” said Cook.

“Other networks, including the department’s critical, mission-facing systems will not be part of” the pilot, he added.


“Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country,” said the Defense Digital Service’s director, technology entrepreneur Chris Lynch.

The department also announced the Defense Innovation Advisory Board, a 12-person team of Silicon Valley CEOs that will provide advice on the best and latest practices in innovation that the department can emulate. Alphabet Chairman and former Google CEO Eric Schmidt will be in charge of the board.

“I’m so grateful to Eric Schmidt for his willingness to do things,” Carter said Wednesday. “He’s the perfect chairman. He is deadly serious about spending his time [at DOD].

News of the pilot was welcomed, and not just by the hacker community, who have long argued that such programs allow white-hat hackers to monetize their skills for the common good. Conventional defense contractor Raytheon’s new cybersecurity acquisition, Foreground Security, joined the chorus of praise.

The program “is another example of Defense Secretary Ash Carter’s efforts to strengthen our national security by tapping the high-end talent capable of hunting cyber threats,” company founder and President Dave Amsler told FedScoop. “The Hack the Pentagon program is a step in the right direction to be more proactive in detecting and eradicating cyber threats.”


“Inviting members of the highly skilled hacker community is an incredibly effective way to identify inevitable security vulnerabilities that your own testing missed,” added Katie Moussouris, the chief policy officer for HackerOne.

She said the Pentagon was blazing a trail others could follow. “The broad implication here isn’t just strengthening national security, but it will also have a ripple effect for other governments’ and industries’ acceptance.”

Correspondent Greg Otto, at RSA in San Francisco, contributed reporting to this story. Contact him via email at, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Latest Podcasts