DoD News, Defense Media Activity
WASHINGTON, March 31, 2016 — Interested participants may now register to compete in the "Hack the Pentagon" pilot program, Pentagon Press Secretary Peter Cook said today.
In a statement announcing the opening of registration, Cook said the pilot program -- designed to identify and resolve security vulnerabilities within Defense Department websites through crowdsourcing -- is the first “bug bounty” program in the history of the federal government.
DoD is partnering with HackerOne, a reputable bug-bounty-as-a-service firm based out of California’s Silicon Valley to run the Hack the Pentagon pilot program over the next several weeks, the press secretary said.
The Hack the Pentagon bug bounty pilot will start April 18 and end by May 12, Cook said, and HackerOne will issue qualifying bounties no later than June 10.
No Critical, Mission-Facing Systems Involved
“The program will target several DoD public websites which will be identified to the participants as the beginning of the challenge approaches,” Cook said. “Critical, mission-facing computer systems will not be involved in the program.”
HackerOne has set up a registration site for eligible participants at https://hackerone.com/hackthepentagon. Eligible participants must be a U.S. person, and must not be on the U.S. Treasury Department's Specially Designated Nationals list of people and organizations engaged in terrorism, drug trafficking and other crimes. U.S. citizens and companies are prohibited from doing business with listed entities.
In addition, the press secretary said, successful participants who submit qualifying vulnerability reports will undergo a basic criminal background screening to ensure taxpayer dollars are spent wisely. Screening details will be communicated to participants in advance, he added, and participants will be able to opt out of any screening. Those who opt out of the screening will forgo bounty compensation, he said.
Modeled After Similar Industry Challenges
The Hack the Pentagon pilot program is modeled after similar challenges conducted by some of the nation's biggest companies to improve the security and delivery of networks, products and digital services, Cook noted. By providing a legal avenue for the responsible disclosure of security vulnerabilities, he added, bug bounties engage the hacker community to contribute to the security of the Internet.
Individual bounty payments will depend on a number of factors, he said, but will come from the $150,000 in funding for the program.
"This initiative will put the department's cybersecurity to the test in an innovative, but responsible way," Defense Secretary Ash Carter said of the program. "I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot."
DoD's Defense Digital Service, which Carter launched in November, is leading the initiative. “The DDS, an arm of the White House's dynamic cadre of technology experts at the U.S. Digital Service, includes a small team of engineers and data experts meant to improve the department's technological agility,” Cook said.