Pentagon Launches Month of Bug Finding

Pentagon Launches Month of Bug Finding

The Department of Defense is to launch a pilot program that will allow qualified participants to “Hack the Pentagon”.

Following the landmark announcement at the start of March that the Pentagon will allow researchers to test the department’s cybersecurity profile, the DoD has partnered with HackerOne to run a one month pilot during April and May which will allow hackers to target several DoD public websites, which will be identified to the participants as the beginning of the challenge approaches. Critical, mission-facing computer systems will not be involved in the program.

The Hack the Pentagon bug bounty pilot will start on Monday, April 18 and end by Thursday, May 12. Qualifying bounties will be issued by HackerOne no later than Friday, June 10. Individual bounty payments will depend on a number of factors, but will come from a $150,000 fund for the program.

Eligible participants must be US nationals and not on the Department of Treasury's Specially Designated Nationals list. Successful participants who submit qualifying vulnerability reports will undergo a basic criminal background screening to ensure taxpayer dollars are spent wisely. Participants will have the ability to opt-out of any screening, but will forgo bounty compensation.

US Secretary of Defense Ash Carter said that the initiative will put the department's cybersecurity to the test “in an innovative but responsible way”.

“I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot,” he said.

Katie Moussouris, chief policy officer at HackerOne told Infosecurity that this could influence other governments to follow and offer similar initiatives. She said “I absolutely expect that after watching a successful bug bounty pilot with the US government, other governments and other non-traditional software companies in other industries will embrace the wisdom and mutual benefits of working with hackers. Hack the planet!”

The registration site is now live and can be accessed at

Source: Information Security Magazine