Hack The Pentagon

DDS is the Directorate for Digital Services in the Chief Digital and Artificial Intelligence Office (CDAO) in the Office of the Secretary of Defense at the Department of DefensE.

I Only Want The Facts:

For DoD Partners

→

For Vendors

→

For Security Researchers

→

A Bug Bounty is a time-boxed assessment where monetary rewards are given to security researchers/ethical hackers in exchange for reporting bugs or vulnerabilities in systems. Some of our past DoD business partners/asset owners have included the U.S. Army, U.S. Navy, U.S. Air Force, U.S. Marine Corps, DoD agencies and offices, and the Pentagon itself.

Our DoD business partners/asset owners choose us because we increase their resistance to attack by mobilizing or tapping into the world’s top security researchers to identify vulnerabilities on their behalf.

We Test DoD Websites, Apps, Public Facing Assets, And More

3 Things To Know For The DoD

Want to learn more?

→

A Bug Bounty is a highly coordinated and secured competition where ethical hackers are awarded monetary compensation for successfully discovering and reporting vulnerabilities through pre-established channels.

Learn more about current policy regarding Bug Bounties:

Learn More

Bug Bounties are a rapid and more cost-efficient way for DoD to identify and remediate unknown vulnerabilities before the adversary can exploit them.

Bug Bounties are invitations to security researchers to hack specific systems within published rules of engagement whose findings are incentivized with financial award.

In a Vulnerability Disclosure Program (VDP), researchers report vulnerabilities on the honor system. Findings are acknowledged but there is no financial award.

Visit The VDP

Why Run A Bug Bounty With DDS?

We facilitate procurement, project management, & platform management for reporting

Our programs are cost efficient with a proven history of ROI

We offer flexibility in testing scale and a diversity of researchers

Our Bug Bounties generate real and actionable results for reporting and remediation

Bug Bounty By The Numbers

Based On The Average Of 40+ Bounties

Average Bug Bounty Cost:

‍$300K

Average Vulnerability Count:

Critical=11 High=23 Medium=4

Hack The Pentagon To Date

40+ Bug Bounties Run

We have run both private (hand-selected, cleared security researchers) and public (open to a wider and global security researcher community) bounties with the U.S. Army, U.S. Navy, U.S. Air Force, U.S. Marine Corps, DoD agencies and offices, and the Pentagon itself.

1400+ Security Researchers Sourced

Also known as “white hats” or ethical hackers, security researchers are security experts that proactively perform assessments designed to find vulnerabilities and improve your organization’s security.

2100+ Vulnerabilities Found

Since 2016, Hack the Pentagon bounties have repeatedly tested DoD assets as an adversary would.

Average Bounty Vulnerability Count: 38
→ Critical = 11
→ High = 23
→ Medium= 4

Interested In Running A Bug Bounty?

What People Are Saying

Dr. Craig Martell

Chief Digital and
Artificial Intelligence Officer

“The website helps equip DoD to run continuous bug bounties as part of a comprehensive cybersecurity strategy.”

Dr. Craig Martell

Chief Digital and
Artificial Intelligence Officer

“With the HtP website launch, CDAO is scaling a long running program, which historically offered services on a project-by-project basis, by offering the Department better access to lessons learned and best practices for hosting bug bounties."

Ash Carter

Former
Secretary of Defense

“When it comes to information and technology, the defense establishment usually relies on closed systems. But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters."

Eric Fanning

Former
Secretary of the Army

“What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation's security, but lack a legal avenue to do so."

Ash Carter

Former
Secretary of Defense

“We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer."

←

→

Want To Report A Vulnerability?

Explore The Bounty Playbook To Learn About The Bounty Process

Are You A Good Candidate To Run A Bug Bounty?

Have A Question Before Getting Started?

Fill out the form below and we will get back to you as soon as possible.

All fields below are required. Do not submit any classified, CUI, or otherwise sensitive information.

Submitted! We will review and get back to you as soon as possible.

Oops! Something went wrong while submitting the form.

↑

DDS runs Bug Bounties for the Department of Defense.

Our DoD business partners/asset owners choose us because we increase their resistance to attack by mobilizing or tapping into the world’s top security researchers to identify vulnerabilities on their behalf.

3 Things To Know For The DoD

Why Run A Bug Bounty With DDS?

Bug Bounty By The Numbers

Hack The Pentagon To Date

Interested In Running A Bug Bounty?

Who Is A Good Candidate?

↓

↑

Are Security Researchers Necessary?

↓

↑

How Long Does It Take?

↓

↑

How Much Does It Cost?

↓

↑

What People Are Saying

Have A Question Before Getting Started?