The Pentagon wants hackers to put its websites’ cyber defenses to the test with its bug bounty “Hack the Pentagon” program. And Hack The Pentagon is now officially up and running, with a $150,000 bounty budget. Don’t just start hacking, though: in order for that to not be a felony, you need to sign up with HackerOne.
Vetted hackers will be invited to test the security of the Department of Defense website. The program, set up by the Pentagon’s Defense Digital Service (DDS), is focused on the public-facing sites and, at least for now, won’t include the testing of more private systems and networks that may contain sensitive data or details on weapons.
Bug bounty programs are pretty common. They’re used by companies like Google and Facebook as well as startups to encourage white-hat hackers to privately disclose vulnerabilities they find in their sites and services in return for a reward, usually cash.
Hack the Pentagon, which launches in April, is the first such program designed by the federal government and is modeled on these traditional bug bounty schemes. The details of the program are still being finalized and the prizes “could involve monetary awards” reports Reuters, but this has yet to be confirmed.
The Pentagon previously conducted such tests internally but the Department of Defense says it is expecting thousands of applicants. White-hat hackers who are interested must pass a background check before they can start testing the sites.
“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” said Defense Secretary Ashton Carter. Chris Lynch, head of DDS, added that “Bringing in the best talent, technology, and processes from the private sector … helps us deliver comprehensive, more secure solutions to the DOD.”
The Pentagon and several government departments are probably having a serious rethink of their cyber defense strategy following a pretty rocky couple of years that saw the Office of Personnel Management hacked, and most recently, the IRS breached by a cyberattack.
Interested parties can sign up with Hacker One, a security firm that specializes in hiring hackers to reveal vulnerabilities. Ars Technica is reporting a $150,000 bounty budget for the project, so finding a flaw could prove valuable.
Anyone legally permitted to work in the US can apply, pending a background check. The full details:
- You must have successfully registered as a participant through this security page.
- You must have a U.S. taxpayer identification number and a social security number or an employee identification number and the ability to complete required verification forms.
- You must be eligible to work within the U.S.; meaning you are a U.S. citizen, a noncitizen national of the U.S., a lawful permanent resident, or an alien authorized to work within the U.S.
- You must not reside in a country currently under U.S. trade sanctions.
- You must not be on the U.S. Department of the Treasury’s Specially Designated Nationals list.
One more exception: Current members of the U.S. Military are not permitted to participate, with one exception: United States Digital Service personnel with express approval from their supervisors.
If all this applies to you, and you’ve got some skills, sign up and see what you can do!
- Personal info of 30,000-plus Pentagon employees compromised in contractor breach
- Tumblr promises it fixed a bug that left user data exposed
- Sprayable antennas could usher in a new era of ultracompact wearable devices
- ProtonVPN and NordVPN patched up vulnerabilities before they became known
- Twitter squashes security bug leaking direct messages since 2017