Continuous Bounty: Practicing What We Preach 

The Hack the Pentagon team is pleased to announce the launch of the CDAO Continuous Bounty!

Since the start of Hack the Pentagon in 2016, our bounties have been traditional bounties with identified time boxes, scope, and partners. But what if we looked beyond that to test our own systems? What if we rewarded researchers’ discoveries outside of a short-term bounty period?

Introducing the continuous bounty, the first of its kind in the Department of Defense (DoD). This bounty lasts one year and has the option to be extended. We are beginning with public-facing DDS assets (dds.mil and all associated subdomains, hackthepentagon.mil, and code.mil) and will scale to CDAO assets and beyond.

This effort also includes a “rapid response” capability, where our industry partner can put researchers on the hunt for a specific, exploitable critical vulnerability across the entirety of DoD public-facing infrastructure in less than 72 hours. This will strengthen our cyber resiliency if we run into the next widespread/critical vulnerability.

“We hope to set an example in DoD that running continuous bounties strengthens our assets and sets a precedent that continuous checks on vulnerabilities is achievable and scalable to support obtaining quality data,” says Jennifer Hay, Director of Defense Digital Service at the Chief Digital and Artificial Intelligence Office.

“We think the continuous and rapid response bounty program is a real game changer for scaling bug bounties out more efficiently and effectively for the Department,” says Allen Vance, Hack the Pentagon Portfolio Lead. 

CDAO-DDS Hack the Pentagon team has partnered with Bugcrowd to run the continuous bounty with invited security researchers. As the continuous bounty pilot is tested, bounty submissions will be opened to the public. 

"The DDS and Hack the Pentagon teams are at the forefront of defending our nation, embracing ongoing dialogue with diverse and cutting-edge talent to safeguard our vital assets. We are thrilled to be partnering with CDAO and revolutionizing approaches to continuous bug bounties and researcher engagement." Kent Wilson, VP, GLOBAL PUBLIC SECTOR SALES

We look forward to sharing updates as we kick off this inaugural bounty! If you are interested to learn more about bug bounties, please visit our website: hackthepentagon.mil or check out Bugcrowd: www.bugcrowd.com.