Security experts reckon the US government’s newly unveiled "Hack the Army" bug bounty programme may usher in greater co-operation across the whole arena of security research.
The US Army will offer cash rewards to hackers who find vulnerabilities in selected, public-facing Army websites under the scheme, which builds on the US military’s previous "Hack the Pentagon" programme.
The Hack the Pentagon programme gave security researchers the chance to earn money by finding bugs on static websites that “weren't operationally significant as targets”.
Hack the Army goes one step further by inviting security researchers to look for flaws in websites that offer dynamic exchanges of personal identifiable information, sites considered central to the Army's recruiting mission.
Chris Lynch, the US Department of Defense's head of Digital Service, said: ”Hack the Army [will show] that bringing in creative hackers from a wide variety of backgrounds can fundamentally improve the way we protect our soldiers and secure our systems."
Army Secretary Eric Fanning added: ”We're not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense. We're looking for new ways of doing business."
The Hack the Army programme will be usher in a new vulnerability disclosure policy.
“This policy makes me optimistic about the prospects for free and open security research,” said Tod Beardsley, senior security research manager, Rapid7, the firm behind the Metasploit penetration testing tool. “Instead of criminalising curiosity, this policy recognises the valuable contributions of the security experts when it comes to vulnerability discovery and disclosure.
“Adopting this policy goes a long way to legitimise the act of security research across all websites. Hackers the world over can point to this policy to help get other organisations, large and small, to recognise the reality that good faith efforts to ‘see something, say something’ has positive and immediate benefits when it comes to internet security,” he added. ®
HackerOne, a security consulting firm under contract with the Pentagon, will invite security researchers and bug hunters to participate in the Army challenge. US government civilians and active duty military personnel will also be authorised to participate. Registration for the program opened on Monday via https://hackerone.com/hackthearmy.
A full list of Army websites and databases that bug hunters will be permitted to hack under the program will be provided to registered and invited participants. ®