Inside DOD’s latest Hack the Pentagon bug bounty

This time the Pentagon wants hackers to find vulnerabilities in the Defense Travel System's public-facing websites.
The Defense Department issued a custom "challenge coin" for one of the Hack the Pentagon pilot programs in 2016. (Defense Digital Service / Twitter)

The Defense Department has launched another bug bounty — this time to find vulnerabilities in the Defense Travel System’s public-facing websites.

Yet again, the Pentagon and the Defense Digital Service are pairing with HackerOne to invite the public to search for and report flaws in the department’s systems. HackerOne has hosted similar engagement for the Air ForceArmy and the DoD at large, with hackers reporting hundreds of valid vulnerabilities and the Pentagon paying out hundreds of thousands of dollars.

Because DTS — an enterprise system that DoD personnel use to book things like airline and hotel reservations when they travel for DoD business — is used by millions of people and maintains sensitive information, hardening its security is a priority for the DOD, said Reina Staley, the chief of staff for the Defense Digital Service, which oversees the military’s bug bounty contests under the Hack the Pentagon program.

“The quick, positive reception of the [Hack the Pentagon] program has been a major win; inviting hackers to uncover vulnerabilities in DoD assets sounds counterintuitive to traditional government security practice, but the value of crowdsourcing external talent has been clear in every challenge we’ve run to date,” Staley told FedScoop’s sister publication CyberScoop in an email.


The Pentagon is essentially crowdsourcing the security of DTS from a pool of hackers recruited by HackerOne. Participants are probing DTS for vulnerabilities that could be exploited by adversaries. People who submit a valid vulnerability could win money. The program opened April 1 and will close April 29.

“The most security mature organizations look to others for help,” said Alex Rice, HackerOne’s co-founder and CTO, in a press release. “We’re excited to bring a fresh, mission-critical asset to the hacker community with the goal of protecting the sensitive government data it contains.”

Read more about the bounty on

Latest Podcasts