The Department of Defense announced today that registration for its Hack the Pentagon bug bounty trial program is open, and that the program will be run on the HackerOne platform.
The trial of the government’s first bug bounty program will run April 18 to May 12. The DoD said only certain public-facing websites will be in scope, and that those, along with payment details, will be revealed to registrants as the start date nears. The DoD said payouts will come from a pool of $150,000 funding the program.
Katie Moussouris, HackerOne chief policy officer, said the trial is a monumental step not only for the government as it attempts to bar the door against attacks such as the next OPM hack, but also for the security research community, which can now poke about U.S. government online properties without the fear of legal action or incarceration.
“I think the broader implications of this: some of the community goals are pretty obvious. We need to modernize our approach to security, we need to identify what the priorities are for the next few years in making things more secure and to identify new security talent who can fill these positions and help us get better over time,” Moussouris said.
Participants must register through the program’s official page, and must be either a citizen, lawful permanent resident or alien authorized to work in the U.S. They must not be on the Treasury Department’s Specially Designated Nationals List, and have a Social Security or taxpayer identification number. To receive a payout for an accepted, verified vulnerability, a participant must also be able to pass a security check.
“In addition, successful participants who submit qualifying vulnerability reports will undergo a basic criminal background screening to ensure taxpayer dollars are spent wisely,” the DOD said in a statement. “Screening details will be communicated in advance to participants, and participants will have the ability to opt-out of any screening, but will forgo bounty compensation.”
Moussouris, who was at the forefront of launching a number of Microsoft bounty programs including the Bounty for Defense and Mitigation Bypass Bounty, likened this to the early moon shots.
“There are parallels to space race and cybersecurity space race. This is designed to inspire the next generation to become astronauts. Watching the moon landing inspires people to get into science. Watching someone not go to jail for hacking the pentagon and getting paid is an inspiration.”
President Obama has signed a number of Executive Orders related to cybersecurity, most of which promote information sharing on threats and attack intelligence, as well as calls to reduce risks in critical infrastructure and federal agencies. Attacks such as the one against the Office of Personnel Management (OPM) that exposed security clearance data on millions of government employees going back to 1982, and the Sony hack put a real face on the threat to sensitive personal data.
“I think the fact they realize the need to take measures. The current approaches are not working. The OPM hacks let you know that without a shadow of a doubt,” Moussouris said. “I think governments have the same problems that large organizations do. You know you’re under attack. You know you have vulnerabilities, but if you can put enough compensating controls around it and you feel like you’ve addressed the risks sufficiently, but an attacker isn’t bound by your scope or your compensating controls. And they will get what they want to get if they want to.”