The U.S. Department of Defense is doubling down on routing out vulnerabilities in its massive government systems. On Monday, the DoD announced it was expanding its bug bounty program to include the agency’s massive Defense Travel System.
The “Hack the DTS” program launched in partnership with bug bounty firm HackerOne. It targets potential threats found in a Department of Defense enterprise system called Defense Travel System (DTS). The DTS serves the DoD’s massive travel services’ bureaucracy and is responsible for everything from generating itineraries to reimbursements for millions of global DoD travelers.
“The DoD has seen tremendous success to date working with hackers to secure our vital systems, and we’re looking forward to taking a page from their playbook,” said Jack Messer, project lead at Defense Manpower Data Center in a statement. “We’re excited to be working with the global ethical hacker community, and the diverse perspectives they bring to the table, to continue to secure our critical systems.”
“The scale of users, volume of travel booked, and sensitive information it is responsible for maintaining makes DTS both a compelling asset for researchers and a priority for DoD to harden its security,” Reina Staley, chief of staff and co-founder of Defense Digital Service, told Threatpost.
Up to 600 eligible white-hat hackers will be invited to participate in the challenge, according to HackerOne. To be eligible to participate in this latest bug bounty challenge by the DoD, hackers must be U.S. taxpayers or a citizen eligible to work in the United Kingdom, Canada, Australia, or New Zealand. U.S. government active military members and contractor personnel are also eligible to participate but are not eligible for financial rewards, said the DoD.
The bug bounty program opened registration on April 1, and will continue until April 29. HackerOne would not disclose the financial rewards tied to the program, but said that in May the company will announce the total money paid.
The program is part of a push by the U.S. Department of the Defense to explore new approaches to its security, and to adopt the best practices used by the most successful and secure software companies in the world. “The intent of our Hack the Pentagon program is to enable the entire Department of Defense to run both public and private bug bounties against websites, applications, and internal systems that are critical to DoD operations,” said Staley.
“Hack the DTS” is the latest effort by the government to step up its cybersecurity measures. In 2016, the “Hack the Pentagon” program was first launched – and since then over 3,000 vulnerabilities have been resolved in government systems. That includes invite-only programs like “Hack the Air Force” in 2017 which resulted in 207 reports and $130,000 in rewards for hackers, and “Hack the Army” in 2016 which resulted in 138 resolved vulnerabilities and $100,000 in rewards for hackers.
“The quick, positive reception of the program has been a major win; inviting hackers to uncover vulnerabilities in DoD assets sounds counterintuitive to traditional government security practice, but the value of crowdsourcing external talent has been clear in every challenge we’ve run to date,” said Staley. “It is also very rewarding to see and help champion the bug bounty concept across other federal agencies like GSA, DHS, the State Department, and more.”