Skip to main content

Department of Defense officially launches ‘Hack the Pentagon’ program

perdix drone swarm the pentagon united states department of defense
David B. Gleason/Flickr
The Pentagon wants hackers to put its websites’ cyber defenses to the test with its bug bounty “Hack the Pentagon” program. And Hack The Pentagon is now officially up and running, with a $150,000 bounty budget. Don’t just start hacking, though: in order for that to not be a felony, you need to sign up with HackerOne.

Vetted hackers will be invited to test the security of the Department of Defense website. The program, set up by the Pentagon’s Defense Digital Service (DDS), is focused on the public-facing sites and, at least for now, won’t include the testing of more private systems and networks that may contain sensitive data or details on weapons.

Related Videos

Bug bounty programs are pretty common. They’re used by companies like Google and Facebook as well as startups to encourage white-hat hackers to privately disclose vulnerabilities they find in their sites and services in return for a reward, usually cash.

Hack the Pentagon, which launches in April, is the first such program designed by the federal government and is modeled on these traditional bug bounty schemes. The details of the program are still being finalized and the prizes “could involve monetary awards” reports Reuters, but this has yet to be confirmed.

The Pentagon previously conducted such tests internally but the Department of Defense says it is expecting thousands of applicants. White-hat hackers who are interested must pass a background check before they can start testing the sites.

“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” said Defense Secretary Ashton Carter. Chris Lynch, head of DDS, added that “Bringing in the best talent, technology, and processes from the private sector … helps us deliver comprehensive, more secure solutions to the DOD.”

The Pentagon and several government departments are probably having a serious rethink of their cyber defense strategy following a pretty rocky couple of years that saw the Office of Personnel Management hacked, and most recently, the IRS breached by a cyberattack.

Interested parties can sign up with Hacker One, a security firm that specializes in hiring hackers to reveal vulnerabilities. Ars Technica is reporting a $150,000 bounty budget for the project, so finding a flaw could prove valuable.

Anyone legally permitted to work in the US can apply, pending a background check. The full details:

  • You must have successfully registered as a participant through this security page.
  • You must have a U.S. taxpayer identification number and a social security number or an employee identification number and the ability to complete required verification forms.
  • You must be eligible to work within the U.S.; meaning you are a U.S. citizen, a noncitizen national of the U.S., a lawful permanent resident, or an alien authorized to work within the U.S.
  • You must not reside in a country currently under U.S. trade sanctions.
  • You must not be on the U.S. Department of the Treasury’s Specially Designated Nationals list.

One more exception: Current members of the U.S. Military are not permitted to participate, with one exception: United States Digital Service personnel with express approval from their supervisors.

If all this applies to you, and you’ve got some skills, sign up and see what you can do!

Editors' Recommendations

Experts found a record number of zero-day hacks in 2021
A digital depiction of a laptop being hacked by a hacker.

Google has published the 2021 review of Project Zero, revealing a record amount of zero-days exploits (labeled as “one of the most advanced attack methods”) exhibited by some of the world’s largest technology companies.

Project Zero is an initiative started by Google in 2014 aimed at detailing security defects known as zero-day exploits. These vulnerabilities are dangerous as they essentially remain undetected unless a mitigation system has been implemented, thus leaving systems, databases, and the like completely exposed to hackers.

Read more
Victims of latest massive LAPSUS$ hack include Facebook, DHL
facebook privacy mark zuckerberg

Hacking group LAPSUS$ has revealed its latest target: Globant, an IT and software development company whose clientele includes the likes of technology giant Facebook.

In a Telegram update where the hackers affirmed they’re “back from a vacation,” -- potentially referring to alleged members of the group getting arrested in London -- LAPSUS$ stated that they’ve acquired 70GB of data from the cyber security breach.

Read more
Here’s the major mistake one LAPSUS$ hacking victim made
A digital depiction of a laptop being hacked by a hacker.

Digital security authentication company Okta raised eyebrows when it confirmed it was targeted by Microsoft and Nvidia hackers, LAPSUS$, around two months after the breach occurred.

The wait between the initial period of the cyber security incident and the official acknowledgment of the hack caused serious concern among security researchers and the technology community. Now, Okta has published an FAQ regarding the situation where it admits the firm made a mistake.

Read more