The US Government is running its first ‘Bug Bounty’ competition:
The DoD has now opened registrations for the US government’s first commercial bug bounty under a one month pilot dubbed “Hack the Pentagon”. The program will award hackers with cash for finding new security flaws in certain DoD systems.
The DoD recently announced that it will be partnering with HackerOne, a security firm that coordinates bug disclosures and facilitates payments to hackers around the world. The security firm has some large companies who use its services, including Uber – with prizes of up to $10,000 for individual bugs.
The DoD announced the program in March but still hasn’t revealed exactly how much hackers will receive for finding different classes of bugs. Payments will come from a $150,000 block of funding already set aside for the program, though it’s not clear how much of that fund has been allocated to awards.
United States Secretary of Defense: Ash Carter.
United States Secretary of Defense Ashton Carter said:
“This initiative will put the department’s cybersecurity to the test in an innovative but responsible way. I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”
Defense is just testing the waters at this stage with the pilot program scheduled to run for less than a month between Monday April 18 and Thursday May 12. It’s not clear if the pilot bounty will transform into an integral part of DoD’s approach to online security.
The DoD pilot program emulates similar bug bounties run by Google, Facebook and Microsoft, there are a few differences that may cause some to hesitate before participating.
Participation and Payment Eligibility
Individuals are eligible to participate only upon meeting ALL of the following conditions:
- You must have successfully registered as a participant through this security page.
- You must have a U.S. taxpayer identification number and a social security number or an employee identification number and the ability to complete required verification forms.
- You must be eligible to work within the U.S.; meaning you are a U.S. citizen, a noncitizen national of the U.S., a lawful permanent resident, or an alien authorized to work within the U.S.
- You must not reside in a country currently under U.S. trade sanctions.
- You must not be on the U.S. Department of the Treasury’s Specially Designated Nationals list.
With the exception of United States Digital Service (USDS) personnel, who obtain the express approval of your supervisor to participate in the program as part of your official U.S. Government duties, U.S. Government employees and Active Duty military members, and current or former employees and contractors of the Defense Media Activity are not eligible to participate in this challenge. USDS personnel are ineligible to receive payment. U.S. Government contractors are eligible to participate and receive payment.
If you submit a qualifying, validated vulnerability, you may be eligible to receive an award, pending a security check. Specific information on payment eligibility will be provided upon acceptance into the program.
You may NOT participate in this challenge unless you comply with the relevant participation requirements described above.
The DoD hasn’t yet revealed which DoD public websites hackers will be allowed to target, though it has clarified that “critical, mission-facing systems” are out of scope. Those that enroll in the program will be provided the target websites as the program is launched.