The Department of Defense yesterday announced that it would be collaborating with San Francisco-based company, HackerOne for its upcoming challenge to “Hack the Pentagon.”
In a statement announcing the opening of registration, Pentagon Press Secretary Peter Cook said that the pilot program is designed to identify and resolve security vulnerabilities within DoD websites through crowdsourcing. Interested hackers can sign up for the challenge right now on the initiative’s new website.
HackerOne, which is a reputable bug-bounty-as-a-service firm based out of California’s Silicon Valley along with DoD will run the Hack the Pentagon pilot program over the next several weeks.
The Hack the Pentagon bug bounty pilot will start April 18 and end by May 12, Cook said, and HackerOne will issue qualifying bounties no later than June 10. If hackers find security holes, then they earn up to $150,000 in this “bug bounty” program. However, the size of each payment will depend “on a number of factors,” the Pentagon said.
“The program will target several DoD public websites which will be identified to the participants as the beginning of the challenge approaches,” Cook said. “Critical, mission-facing computer systems will not be involved in the program.” Instead, a few of the DoD’s public websites will be put to the test by whoever signs up, and they will need to undergo a background check first.
Announced by the military earlier this month, the program challenged outsiders to try and find bugs and security vulnerabilities in Pentagon systems. In a statement on Thursday, DoD said the several weeks-long program would be led by HackerOne, a reputable bug-bounty-as-a-service firm based out of California’s Silicon Valley that’s used by everyone from Facebook to IBM.
“This initiative will put the department’s cybersecurity to the test in an innovative but responsible way,” Defense Secretary Ash Carter said in a statement. “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”
HackerOne has set up a registration site for eligible participants at https://hackerone.com/hackthepentagon. Eligible participants must be a U.S. person, and must not be on the U.S. Treasury Department’s Specially Designated Nationals list of people and organizations invoilved in terrorism, drug trafficking and other crimes. U.S. citizens and companies are forbidden from doing business with listed entities.
DoD’s Defense Digital Service, which Carter launched in November, is leading the initiative. “The DDS, an arm of the White House’s dynamic cadre of technology experts at the U.S. Digital Service, includes a small team of engineers and data experts meant to improve the department’s technological agility,” Cook said.
The idea to bring outsiders in to try and hack Pentagon systems is a first, though it’s pretty common for corporations. “Hack the Pentagon” is the type of “bug bounty” program that many private tech companies, such as Google and Microsoft, have operated for years, giving independent security researchers the green light to find vulnerabilities within their systems and report back. It’s a way to find problems quicker and fix them before a malicious hacker finds their way in.
“Collaboration and transparency with external finders has become essential to securing connected software on the Internet,” HackerOne CEO Marten Mickos said in a statement. “Embracing the hacker community is not only a watershed move by the Pentagon, among the world’s most powerful organizations, but also signals deeply promising progress for all of software security.”