Wanna hack the military? The Department of Defense is starting to give hackers more opportunities to test its systems without the threat of prosecution.
The department announced today that it is expanding its Hack the Pentagon program to include more DoD systems and networks. Hack the Pentagon pays hackers to find and report vulnerabilities in exchange for cash, and so far it’s proved effective — the first bug was reported 13 minutes after the program launched.
Hack the Pentagon initially ran as a pilot program between April 18 and May 12 of this year and only included five DoD websites, but DoD plans to develop it into a permanent program that collects vulnerability reports on more websites and systems. The introduction of Hack the Pentagon represents the first time the U.S. government has experimented with a commercial bug bounty that allowed participating hackers to be paid for discovering vulnerabilities.
“Although the pilot was a success, it only tested the crowdsourced security concept against public-facing websites. We believe the concept will be successful when applied to many or all of DoD’s other security challenges,” a DoD spokesperson said in a statement.
Hack the Pentagon was administered by the bug bounty platform HackerOne, which reports that the pilot generated 138 unique bug reports and a total of $71,200 in bounties paid to hackers.
One of the Hack the Pentagon participants, David Dworken, just graduated from high school. He said he reported 22 bugs to DoD, which he discovered during his free periods at school.
DoD is embarking on three measures to strengthen the program: developing a vulnerability disclosure process, expanding the bug bounty program, and adding incentives for DoD contractors to allow testing on their systems.
“With these efforts, we will capitalize on Hack the Pentagon’s success and continue to evolve the way we secure DoD networks, systems and information,” a DoD spokesperson said.