By Eduard Kovacs at Securityweek
Following the success of the “Hack the Pentagon” initiative, the United States Army has announced its intention to launch its first ever bug bounty program in the coming weeks.
The Department of Defense (DoD) last month awarded a combined $7 million contract to HackerOne and Synack for helping the organization’s components launch bug bounty programs similar to Hack the Pentagon. The U.S. Army’s program, conducted in partnership with HackerOne, is the first of these projects.
The goal of the bug bounty program, dubbed “Hack the Army,” will be to complement the work of the Army’s own cybersecurity personnel.
No details have been provided so far, but Wired reported that “Hack the Army” will initially focus on recruitment websites and databases storing the personal information of both existing employees and new applicants. Other resources may be added to the scope of the program depending on its success.
Military and government personnel are accepted automatically, but the project is invitation-only for other security experts.
The Hack the Pentagon challenge, which took place in April and May, was led by the Defense Digital Service and allowed anyone to register. Over 1,400 hackers signed up for the pilot program and more than 250 of them submitted at least one vulnerability report. Of the total number of submissions, 138 were valid and eligible for a bounty.
The cost of the Hack the Pentagon pilot was $150,000, half of which went to participants. The DoD believes it would have cost at least $1 million to hire an outside contractor to perform the same type of vulnerability testing.
Unlike governments, the private sector has long recognized the benefits of running vulnerability reward programs. Major players, such as Yahoo, Google and Facebook, have already paid out millions to researchers who contributed to making their systems and products more secure.