US Army Prepares Bug Bounty Program, Asks Hackers to Find Cybersecurity Exploits
Eric Fanning, Secretary of the Army, announced plans to set up a bug bounty. The US Army, according to the press release, partnered up with HackerOne to have eligible hackers find exploits in the Armyâs cybersecurity systems.
HackerOne is a âvulnerability coordination and bug bounty platformâ that previously partnered with the Department of Defense for the widely successful âHack the Pentagon.â According to HackerOne, âHack the Pentagonâ participants revealed 138 vulnerabilities in 24 days.
The US Armyâs program will be similar in structure.
Following the initial hacking run, the Department of Defense will begin to expand these programs to other essential departments. The US Army is the first of these âboldâ challenges, a HackerOne spokesperson published in a press release. So far, HackerOne has worked and had success with the following companies: Uber, Twitter, New Relic, General Motors, Github, CloudFlare, Kaspersky Labs, Panasonic Avionics, Snapchat, Zenefitsâand the Department of Defense.
The Secretary of Defense, Ash Carter, has been quintessential in terms of promoting this level of interaction with the private sector.
Carter spoke about the usefulness of the âHack the Pentagonâ program:
By allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend more time fixing them than finding them. The (program) showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly.
The push for this type of initiative has not been from Carter alone. After the successfulness of the DoDâs first run, the idea took off.
Greg Touhill, U.S. Chief Information Security Office stated, âFrankly, if I had it my way, we would do a bug bounty across .gov and the program office in charge of the source code would reimburse the bug bounty pool once a bug is discovered.â
Fanning said that these hackers would, in essence, provide an external view of the Armyâs cybersecurity systems. The Armyâs own cybersecurity staff know what the systems look like from the inside but skilled hackers could provide insight from an attackerâs perspective.
The full details have not been released yet and the US Army has not made a full public announcement through a platform of their own. However, the HackerOne press release mentioned that only âeligible hackers will be able to try to exploit the Armyâs systems.â We can expect this event to very closely mirror the previous Pentagon one. Participants had to be vetted and pass a mandatory background check before taking part in the program.
In the partnership announcement, HackerOne said that the full details would be available soon. If one would like to âHack the Army,â they recommended checking the HackerOne Twitter account: @hacker0x01.