The US Department of Defense (DoD) is encouraging security researchers from the general public to hack its IT systems and will pay them for reporting issues.
The DoD on Wednesday launched the “Hack the Pentagon” initiative, a pilot program that borrows from the private sector concept of security bug bounties, which essentially outsources elements of product security through a system that rewards hackers for finding and reporting bugs to the operator of an IT platform.
Google, Microsoft and Facebook are among a handful of tech firms that reward hackers for finding bugs in a select products. The model has been emulated by firms in traditional industries, such as United Airways, General Motors, and Tesla.
In tech, Google’s bug bounty is probably the mostly widely known. The company awarded hackers $2m last year for finding bugs in Android, Chrome and other Google properties, but the model has never been used by a US public sector organisation.
As could be expected, the DoD program doesn’t mean open season on its systems but it will permit “qualified participants” to “conduct vulnerability identification and analysis on the department’s public webpages”.
“Participants in the bug bounty will be required to register and submit to a background check prior to any involvement with the pilot program. Once vetted, these hackers will participate in a controlled, limited duration program that will allow them to identify vulnerabilities on a predetermined department system,” the DoD said in a statement today
Out of scope will be the department’s “critical, mission-facing systems”. However, qualified hackers could be paid or given credit for their reports.
The department says it will release full details about the program at a later date.
A senior DoD official was quoted by Reuters as saying it expects thousands of hackers to join its initiative.
Facebook last year paid just under $1m to 210 researchers across the world for valid bug reports but received over 13,000 reports from 5,543 researchers. Google, Facebook and others in the bug bounty industry like to encourage high quality bug reports, which help cut costs associated with verifying and remediating security flaws.
Unlike private sector programs, the Pentagon will only permit US citizens in its program, according to Reuters. Also, they must only conduct testing on predetermined public-facing computer systems.
The program is being led by the Pentagon’s Defense Digital Service, which was launched by Defense secretary Ash Carter last year.
“I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” Carter said.
The initiative is being rolled out as the Pentagon assumes responsibility for records collected under the US government’s security clearance background checks after a security breach at the Office of Personnel Management resulted in private details of 22 million people being leaked to attackers. The office failed to encrypt any of the records it collected.
DoD has also commenced a massive desktop migration that is estimated to move four million machines to Windows 10 by February 2017.
Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.