Air Force Cyber Protection Team exercise UPDATED with Synack details on sensitive systems WASHINGTON: The Defense Department just announced three new contracts worth up to $34 million to pay people to hack into its systems. It may seem counterintuitive, but with Chinese, Russian, and North Korean hackers constantly on the prowl, government agencies are increasingly willing to award “bug bounties” to freelance hackers who can find vulnerabilities first and report them so they can be fixed before the bad guys exploit them. This latest award builds on the Defense Digital Service’s Hack The Pentagon initiative. Launched two years ago, the effort expanded from an initial trial run for selected DoD websites to more intensive and extensive work for the Army, Air Force and the Defense Travel System. Three private-sector “crowd-sourced cybersecurity” companies received awards in the announcement yesterday: Statistics from 2016’s Hack the Pentagon “bug bounty” program UPDATED One award went to HackerOne, which has run best-publicized programs, hunting bugs in .mil websites and other publicly accessible systems, under a $3 million contract let in 2016. A second award went to competitor Synack. Their prior work on Hack The Pentagon has gotten much less coverage — despite being a larger contract ($4 million) and arguably of higher importance — because it involves smaller numbers of more thoroughly vetted hackers working on six undisclosed “critical” and “sensitive internal systems,” including file transfer between classified networks. The third award went to Bugcrowd, which hasn’t done business with the Pentagon before. UPDATE ENDS Offering a reward to anyone who reports a bug — instead of going to carefully selected and vetted vendors — is becoming common in the commercial world but remains outside the comfort zone for many government officials. Advocates argue that, by casting a broad net for talent and letting freelancers pursue whatever leads they find, such crowdsourced efforts often find bugs that traditional security contractors miss, and they cost pennies on the dollar. UPDATE Synack tells me it reported its first bug within hours of launching the program and its highest single payout was $30,000. HackerOne says its larger pool of hackers, working on websites and other lower-priority systems, have found over 5,000 verified vulnerabilities in Defense Department systems and paid out $500,000 in bounties — just about $500 per bug. And if participating hackers report an issue that’s already been found or isn’t a genuine problem, they don’t get paid. It’s the gig economy of Uber and AirBnB, applied to national security.