DoD announces launch of a new bug bounty program

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Today, the Department of Defense (DoD) announced that the Chief Digital and Artificial Intelligence Office (CDAO), the Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) are launching the “Hack U.S” bug bounty program.

The program will offer financial rewards for ethical hackers and security researchers who can identify critical and high severity vulnerabilities in the scope of the DoD’s vulnerability disclosure program

To encourage researchers to participate, the DoD will offer a total of $110,000 for vulnerability disclosures. Payouts range between $1,000 for critical severity reports, $500 for high severity reports, and $3,000 for those in additional special categories. 

The DoD’s decision to launch a bug bounty not only comes as the DoD and HackerOne have concluded a 12-month pilot as part of the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), but also as more organizations are recognizing the attack surface has expanded to the point where security teams simply can’t keep up. 

Why bug bounties are picking up momentum 

One of the key driving forces behind the growing interest in bug bounties is the high number of vulnerabilities present in modern enterprise environments. 

Research suggests that the average organization has roughly 31,066 security vulnerabilities in its attack surface, a number that a small internal security team can’t mitigate alone, even if they have access to the latest vulnerability management or attack surface management tools.

Given the high number of vulnerabilities, it’s no surprise that 44% of organizations report that they lack confidence in their ability to address the risks introduced by the attack resistance gap. 

Bug bounties provide an answer to this challenge, by providing security teams with access to support from an army of security researchers who can help provide support by identifying vulnerabilities, and recommending fixes.