Celebrating Five Years of Hack the Pentagon

By: Daniel Bardenstein
Digital Service Expert, Cybersecurity

Hack the Pentagon, the first-ever government bug bounty program, reaches its 5th year. We’re reflecting on what we’ve learned along the way.

As someone who measures the passage of time by the age of my friends’ children, it seems fitting to celebrate the 5th birthday of DDS’ Hack the Pentagon by reflecting on what we’ve accomplished. From standing up the U.S. government’s first-ever bug bounty and Vulnerability Disclosure Program (VDP) to a mention on Jimmy Fallon’s late night show to wheeling part of an F-15 fighter jet into a Las Vegas casino, we’ve had quite a journey!

I joined DDS in April 2020, right as the COVID-19 pandemic spread throughout the U.S. Though I didn’t realize it then, the timing worked out. I not only joined the growing Hack the Pentagon team, but I also spearheaded DDS’ efforts to co-lead cybersecurity with the NSA for Operation Warp Speed (OWS), the U.S.’s COVID vaccine and therapeutics initiative. Between OWS and Hack the Pentagon, I was able to leverage my private sector background in both cybersecurity and product/project management, and contributed to DDS’ impact at a time of global crisis.

So, what is Hack the Pentagon? Established in 2016, it is DDS’ oldest program and the first-ever bug bounty program in the federal government focused on securing critical DOD information systems and changing the culture around cybersecurity within the  DOD. Bug bounties allow vetted independent security researchers or “ethical hackers” to access sensitive systems and receive financial rewards (“bounties”) for discovering vulnerabilities, or bugs. Over the past five years, Hack the Pentagon has run over 40 bug bounties across DOD, bringing over 3,000 hackers to spend more than 25,000 hours of time and identify more than 2,500 vulnerabilities,netting over $650,000 in bounty payments. Through these bounty programs, we’ve worked with ethical hackers to hack into planes, next-generation secure hardware, actual networks in the Pentagon, power and HVAC systems, water treatment facilities, and much more...but we can’t always hack and tell. 

Beyond the assessments and the payouts, Hack the Pentagon is about more than just securing systems. The program has been instrumental in shifting an otherwise straight-laced government  culture away from compliance checklists and scheduled, predictable assessments towards continuous testing that emulates real-world adversary tactics, techniques and procedures. Instead of vilifying hackers and non-government security experts, the DOD now closely engages with the security community in a mutually beneficial partnership. Essentially, we’re helping the DOD get out of its own way.

In 2018, DDS partnered with the Department of Defense Cyber Crimes Center (DC3) to launch another first-ever for the federal government: a vulnerability disclosure program (VDP) to further leverage the expertise of hackers to secure DOD public-facing web assets. After 25 months of patient pushing, we finally broadened the scope of the VDP in early 2021 to include all public-facing “information systems,” meaning any and every DOD system on the public internet, from internet-of-things devices to industrial control systems, and much, much more.

All of this translates to a successful, ongoing partnership with expert security researchers who can quickly and astutely discover vulnerabilities that we can fix before they become serious, persistent issues. In today’s world, you cannot be too secure nor should we expect to do it alone.. Simply put, this program has and will continue to protect the service members, employees, and infrastructure -- from buildings to planes to healthcare -- that comprise DOD.