The US Department of Defense (DoD) and HackerOne have officially launched a bug bounty program which will pay researchers to find and disclose security vulnerabilities in mission-critical army domains.
On Monday, bug bounty platform HackerOne revealed in a blog post that the DoD has outlined a new Vulnerability Disclosure Policy (VDP) which gives security researchers a legal backing for finding and responsibly reporting security flaws found in any of the department’s front-facing systems.
“This policy is a first of its kind for the US Government,” HackerOne says. “With DoD’s new vulnerability disclosure policy, hackers have clear guidance on how to legally test for and disclose vulnerabilities in DoD’s websites outside of bug bounty challenges. This new initiative underscores DoD’s commitment to working in partnership with the hacker community to improve security.”
See also: Bug bounties: ‘Buy what you want’
The DoD is using HackerOne’s services to host and support a bug bounty program, dubbed “Hack the Army,” in tandem with the release of the VDP. The project was originally announced on 11 Nov by US Secretary of the Army Eric Fanning
Registration for the program, which is the first of its kind for the US Army, is now open.
However, in the Hack the Army bug bounty program‘s initial phase, participant numbers are limited to 500. Hackers can register their interest and, if invited back, can start poking around DoD US Army websites for the chance of rewards.
While there is no information on the exact compensation being offered to participating researchers, HackerOne says that the disclosure of valid security flaws can result in rewards of up to “thousands of dollars in cash.”
Prizes, however, will not be offered for vulnerabilities found outside of the bug bounty program.
It has not been disclosed exactly what flaws are of the most interest to the US government, but as with most bug bounty schemes, the most severe — including information leaks, communication channel hijacking, and remote code execution — are likely to be on the list.
HackerOne also says that targets for researchers will include “operationally significant websites including those mission critical to recruiting.”
“As Secretary of the Army, the security of these foundational systems is incredibly important to me, and security is everyone’s responsibility,” Fanning said. “We need as many eyes and perspectives on our problem sets as possible and that’s especially true when it comes to securing the Army’s pipeline to future soldiers.”
The bug bounty program follows the successful Hack the Pentagon scheme, which ran from April 18 to May 12 this year and resulted in over 100 DoD vulnerabilities being disclosed and fixed.
The Hack the Army bug bounty will start on Wednesday, 30 November and end on 21 December.