The Department of Defense(DoD) is inviting hackers to hack Pentagon. The program is named “Hack the Pentagon” which is the Federal Government’s first bug bounty program and will be modeled after those of private companies was announced as a pilot program to pay independent security researchers who disclose bugs in the Pentagon’s public-facing websites, and to eventually roll out the initiative to the DoD’s less public targets including its applications and even its networks.
The DoD hasn’t yet named which of its websites are part of the program or how much it plans to pay for bug reports. But the announcement nonetheless represents the first time the U.S. federal government has launched a bug bounty program. This is an acknowledgement that even an agency with the Pentagon’s significant cyber security resources and expensive contractors doesn’t have enough eyes to find all its hackable vulnerabilities. Specially after the government spent US$1.2 billion on this US Government Firewall system Einstein in the last year alone, for a total projected cost of US$5.7 billion to fiscal 2018 which still failed to do it’s job, you can’t blame them for trying to rely on these bounty programs.
The federal government, despite its massive IT spending, has seen repeated breaches over the last several years, including the unprecedented, disastrous breach of the Office of Personnel Management and a hack of the Pentagon itself last year—possibly by Russian hackers—that resulted in the shutdown of the Pentagon’s unclassified email system for weeks.
However, “Eligible participants” must be US Nationals and can’t be identified on government watch lists.
Participants who successfully submit a vulnerability will also have to agree to a criminal background check before they can receive their monetary prize “to ensure taxpayer dollars are spent wisely”. No mission critical or core US defense systems will be involved in the program.
Problem is, not just anyone can hack into the network and call it research, however. Participants will have to register and submit to a background check before looking for bugs. Once they’re vetted, researchers will be given a predetermined department system and a set amount of time to access it.