Army to offer cash rewards to bug hunters who find security vulnerabilities in its recruiting sites and database systems that have ties to the Army’s core operational systems
The US Army Wants You. To hack into its computer systems, that is.
Inspired by the success of the nearly month-long “Hack the Pentagon” pilot program earlier this year, the US Army has announced a new bug bounty program in collaboration with HackerOne.
The “Hack the Army” initiative is similar to the Pentagon’s program in that it will give eligible white hat hackers a way to earn cash rewards for finding vulnerabilities in specified Army computing systems.
The goal is to try and strengthen Army cybersecurity measures by having independent security researchers and professional bug hunters take a crack at them, Secretary of the Army Eric Fanning announced at a press conference late Friday.
“The Army is reaching out directly to a group of technologists and researchers who trade in figuring out how to break into computer networks they are not supposed to,” Fanning said.
Typically, the inclination has been to avoid contact with such people, Fanning said. “Here, we are not just meeting them face-to-face, we are challenging them,” he said. “Take your best shot. Bring it on.”
Over the next few weeks, HackerOne will invite a group of security researchers and bug hunters to participate in the Army challenge. Unlike the Hack the Pentagon effort, the Army’s bug bounty program will be open to properly registered active duty military personnel and employees from civilian government agencies. The Army has secured all the necessary legal approvals to enable this participation, Fanning said.
The full list of Army websites and databases that bug hunters will be allowed to take a crack at under the program will be announced later. But Fanning described them as vital to the Army’s day-to-day recruiting mission.
Unlike the static websites in the Hack the Pentagon program, all eligible systems in the Hack the Army challenge host dynamic content and have deep ties to the Army’s core operational systems, he said.
“What Hack the Pentagon validated is that there are a large number of technologists and innovators who want to make a contribution to our nation’s security but lack an avenue for doing so.”
Hack the Army is only the second-ever bug bounty program from the U.S. federal government.
The 24-day Hack the Pentagon program between April 18 and May 12 this year was its first-ever and resulted in a total of 138 bugs being detected and resolved in the Pentagon’s systems.
The first bug submission to the program came just 13 minutes after the challenge was formally issued. It grew to nearly 200 submissions in six hours. Over the entire duration of the program, researchers submitted bug disclosures at the rate of nearly one every 30 minutes.
According to HackerOne, which managed that program as well, a total of 1,410 bug hunters registered with it for a chance to try and discover vulnerabilities in the Pentagon’s systems. Of that number, 250 were successful in finding vulnerabilities of which 138 were found to be legitimate and eligible for a cash bounty.
Payouts under the Pentagon pilot range from $100 to $15,000 to one individual with multiple successful bug submissions. HackerOne said it paid a total of $75,000 in big bounties under Hack the Pentagon.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio