Continuous Bounty: Practicing What We Preach
- By: CDAO Public Affairs
The Hack the Pentagon team is pleased to announce the launch of the CDAO Continuous Bounty!
Since the start of Hack the Pentagon in 2016, our bounties have been traditional bounties with identified time boxes, scope, and partners. But what if we looked beyond that to test our own systems? What if we rewarded researchers’ discoveries outside of a short-term bounty period?
Introducing the continuous bounty, the first of its kind in the Department of Defense (DoD). This bounty lasts one year and has the option to be extended. We are beginning with public-facing DDS assets (dds.mil and all associated subdomains, hackthepentagon.mil, and code.mil) and will scale to CDAO assets and beyond.
The sessions will cover the full scope of issues related to developing and implementing data, analytics, and AI in DoD, including the role of large language models (LLMs) and enablers like digital talent, acquisition, and cyber security. There will be sessions for everyone – from the most technical programmers to policy makers and human resources professionals.
This effort also includes a “rapid response” capability, where our industry partner can put researchers on the hunt for a specific, exploitable critical vulnerability across the entirety of DoD public-facing infrastructure in less than 72 hours. This will strengthen our cyber resiliency when we run into the next widespread/critical vulnerability.
“We hope to set an example in DoD that running continuous bounties strengthens our assets and sets a precedent that continuous checks on vulnerabilities is achievable and scalable to support obtaining quality data” says Jennifer Hay, Director of Defense Digital Service at the Chief Digital and Artificial Intelligence Office.
“We think the continuous and rapid response bounty program is a real game changer for scaling bug bounties out more efficiently and effectively for the Department” says Allen Vance, Hack the Pentagon Portfolio Lead.
CDAO-DDS Hack the Pentagon team has partnered with Bugcrowd to run the continuous bounty with invited security researchers. As the continuous bounty pilot is tested, bounty submissions will be opened to the public.
"The DDS and Hack the Pentagon teams are at the forefront of defending our nation, embracing ongoing dialogue with diverse and cutting-edge talent to safeguard our vital assets. We are thrilled to be partnering with CDAO and revolutionizing approaches to continuous bug bounties and researcher engagement." Kent Wilson, VP, GLOBAL PUBLIC SECTOR SALES.
We look forward to sharing updates as we kick off this inaugural bounty! If you are interested to learn more about bug bounties, please visit our website: hackthepentagon.mil or check out Bugcrowd: www.bugcrowd.com.