The US Department of Defense significantly has expanded its bug bounty program to all publicly accessible information systems, including not just websites but also networks, frequency-based communication, Internet of Things, and industrial control systems. 

The DoD bug bounty, which is overseen by the DoD’s Cyber Crime Center (DC3), is now much broader than the “Hack the Pentagon” pilot kicked off in 2016 with partner HackerOne. Hackers were restricted to probing DoD’s public-facing websites and applications. 

Brett Goldstein, director of the Defense Digital Service, said the DoD’s bug bounty “allows for research and reporting of vulnerabilities related to all DoD publicly-accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more”, according to a DoD press release.  

“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DoD,” said Goldstein.

The DoD says that since the bug bounty launched, it had received more than 29,000 vulnerability reports from hackers. More than 70 percent of them determined to be valid after triage.   

Last month DC3 launched another bug bounty pilot called the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), which aims to improve the security of defense contractors. It’s also being run on HackerOne

Carnegie Mellon University Software Engineering Institute conducted a feasibility study in 2020 and recommended the pilot program proceed

“The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface,” said DC3 director Kristopher Johnson.

Johnson said he expects the number of bug reports it receives to “drastically increase” due to the broader scope of the program, which now allows security researchers to report bugs they wouldn’t have been allowed to in the past.