DoD Announces Launch of New Bug Bounty Program

We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Register today!


Today, the Department of Defense (DoD) announced that the Chief Digital and Artificial Intelligence Office (CDAO), the Directorate of Digital Services, and the Department of Defense Cybercrime Center (DC3) launch the “Hack US” bug bounty program.

The program will provide financial rewards to ethical hackers and security researchers who can identify critical and high-severity vulnerabilities under the DoD Vulnerability Disclosure Program.

To encourage researchers to participate, the DoD will provide a total of $110,000 for vulnerability disclosures. Payouts range from $1,000 for critical severity reports, $500 for high severity reports, and $3,000 for those in additional special categories.

The DoD’s decision to issue a bug bounty not only comes as the DoD and HackerOne have concluded a 12-month pilot under the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), but that more and more organizations are recognizing that the attack surface has expanded to the point where security teams simply can’t keep up.

Why bug bounties are gaining momentum

One of the main drivers behind the growing interest in bug bounties is the high number of vulnerabilities present in modern enterprise environments.

Research suggests that the average organization has approximately 31,066 security vulnerabilities in its attack surface, a number that a small internal security team cannot mitigate on its own, even if it has access to the latest vulnerability management tools or attack surface management.

Given the high number of vulnerabilities, it is not surprising that 44% of organizations say they are not confident in their ability to deal with the risks introduced by the attack resistance deficit.

Bug bounties provide an answer to this challenge, giving security teams access to support from an army of security researchers who can help provide assistance by identifying vulnerabilities and recommending fixes.

“It takes an army of adversaries to outwit an army of allies, and many organizations tap into the community of millions of bona fide hackers around the world who are skilled, ready and willing to help,” the founder said. and CTO of Bugcrowd. , Casey Ellis.

“The fine folks at DoD DC3 have been running a vulnerability disclosure program for many years with great diligence and success, so to see them ‘upgrading’ this to a paid bug bounty program makes a lot of sense,” said said Ellis.

Of course, the DoD isn’t alone in embracing crowdsourced cybersecurity, with organizations like Microsoft, Google, Apple, Meta, and Samsung all experimenting with their own vulnerability bounty programs to keep their systems and end products secure. .

The bug bounty movement

According to researchers, the global bug bounty market is growing, valued at $223.1 million in 2020, and is expected to reach $5,465.5 million by 2027.

In the past 12 months alone, the bug bounty market has seen significant investment activity, with bug bounty organizations like HackerOne reportedly raising $49 million in funding, Belgian company Intigriti has raised $23 million in Series B and Web3 bug bounty platform Immunefi raising $5.5 million in seed funding.

At the same time, other vendors also launched new crowd-search initiatives, such as 1Password, which announced the launch of a $1 million bug bounty which in April paid out $103,000 to researchers.

These solutions are attracting investor interest because “effective bug bounty programs limit the impact of serious security vulnerabilities that could easily have put an organization’s customer base at risk,” said Synopsys Software Fellow Ray Kelly. IntegrityGroup.

“Payments for bug reports can sometimes exceed six-figure sums, which may seem like a lot. However, the cost to an organization of remediating and recovering from a zero-day vulnerability could total millions of dollars in loss of revenue,” Kelly said.

On the other side of the fence, even notorious cybergangs like LockBit are experimenting with bug bounties, asking researchers and hackers to submit PII on high profile individuals and web exploits in exchange for compensation of up to $1. million bucks.

The Bug Bounty Market: Top Players and Key Differentiators

At this stage of market growth, one of the major vendors is HackerOne, HackerOne, which not only builds a close relationship with the DoD, but has also raised $160 million in total funding to date and maintains a community of over 1,000,000 ethical hackers who have solved over 294,000 to date.

HackerOne provides a bug bounty platform that organizations can use to create an inventory of cloud, web, and API resources, which other researchers can then test to see if vulnerabilities exist.

One of HackerOne’s biggest competitors in the market is industry pioneer Bugcrowd, which itself raised $80 million in funding and offers a platform that can automatically identify attack surface vulnerabilities. of an organization.

After detecting vulnerabilities, the platform can then connect companies with security researchers and engineers to investigate and report their vulnerability findings directly into existing DevOps and security workflows.

Other providers in the market include European bug bounty provider Intigriti, which offers a platform of over 50,000 researchers and has paid out over $5 million in bounties to date.

At this point, the main differentiator between these providers is not just the size of the pool of researchers they offer access to, but the means by which they connect companies with the right researchers to secure their environments.

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more about membership.

Ryan H. Bowman