The US Department of Defense (DoD) has announced its fifth bug bounty program, which will run through April 29, 2018, and focus on the internal enterprise systems relied upon by millions of employees for global operations.
“The DoD has seen tremendous success to date working with hackers to secure our vital systems, and we’re looking forward to taking a page from their playbook,” said Jack Messer, project lead at the DoD’s Defense Manpower Data Center. “We’re excited to be working with the global ethical hacker community, and the diverse perspectives they bring to the table, to continue to secure our critical systems.”
To be eligible to participate in the latest bug-bounty challenge, individuals from the public must be United States taxpayers or a citizen of or eligible to work in the United Kingdom, Canada, Australia or New Zealand. US government active military members and contractor personnel are also eligible to participate but are not eligible for financial rewards.
Reward amounts have not been disclosed.
“Millions of government employees and contractors use and rely upon key enterprise systems every day,” said Reina Staley, chief of staff at Defense Digital Service. “Any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission. These bug-bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.”
Since the Hack the Pentagon program kicked off in 2016, more than 3,000 vulnerabilities have been resolved in government systems. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000 for their contributions; the second Hack the Air Force resulted in 106 valid vulnerabilities surfaced and $103,883 paid to hackers; Hack the Army in December 2016 surfaced 118 valid vulnerabilities and paid $100,000; and Hack the Pentagon in May 2016 resulted in 138 valid vulnerabilities resolved and tens of thousands paid to ethical hackers for their efforts.
“The most security mature organizations look to others for help,” said Alex Rice, co-founder and CTO at HackerOne, the platform provider for the effort. “The Department of Defense continues to innovate with each bug-bounty challenge, and the latest challenge is no exception. We’re excited to bring a fresh, mission-critical asset to the hacker community with the goal of protecting the sensitive government data it contains.”