This article is more than 1 year old

Hack the planet, er, Pentagon: US Dept of Defense puts bounties on bugs

Just pass the background test

The Pentagon will next month launch the US government's first bug bounty program encouraging hackers to break into its websites in what could lead to a broader invitation to hack state assets for cash.

Details on the cash rewards offered under the 'Hack the Pentagon' program have not yet been released.

it will use "commercial sector crowdsourcing" bug bounty programs - such as HackerOne or BugCrowd - meaning it will be open to "qualified" hackers who pass background checks.

The program will be restricted in scope so that hackers can target defined assets and not mission-critical systems.

Secretary of Defense Ash Carter says the bounty program will strengthen Defence.

“I am always challenging our people to think outside the five-sided box that is the Pentagon," Carter says in a statement. "Inviting responsible hackers to test our cybersecurity certainly meets that test.

"I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security."

Reg feature: The bug bounty boom

The Defense Digital Service will lead the bounty billed as being part of the Obama Administration's Cyber National Action Plan.

It will mean curious minds like former Pentagon hacker Gary McKinnon will be able to legally breach the five-sided fortress without fear of reprisal, provided they pass security checks and stay within scope.

Defence manages some 488 websites according to the agency.

Bugcrowd boss Casey John Ellis the Pentagon starting a bounty program is a big day for bug bounties.

"Defence have realised that bug bounties aren't restricted to something that the cool Silicon Valley kids do, they're actually a solution to a critical human capital crisis, and a way to level the resourcing and economic playing field against the adversary," Ellis told Vulture South.

"They're starting with background checked folks to instil enough trust in the model internally to get buy-in, and I'm sure they'll expand from there.

"Even calling it Hack the Pentagon is cool … someone there has their head on straight and has realised they have to appeal to a broader audience, and that requires a shift in how they think."

The need for Defence bug bounties has been raised previously while government auditors have been critical of agency information security practices, taking aim at scoping restrictions placed on hacking red teams.

Red teams are offensive security units tasked with breaking into targets by any means necessary.

The program demonstrates the current boom of the bug bounty industry which has exploded in recent years since it was first dreamt up by Netscape engineers some 20 years ago. ®

More about


Send us news

Other stories you might like