U.S. Army brings back bug bounty for round two
Bug bounty platform HackerOne, together with the Pentagon’s Defense Digital Service, announced on Thursday that they’ve officially launched Hack the Army 2.0.
The four-week-long challenge will allow ethical hackers to try their hands at finding vulnerabilities within more than 60 publicly accessible web assets. Find and report one, and you’ll be paid for your efforts. The opportunity is open to members of the military and government civilians, as well as individuals “invited” by HackerOne.
“I am looking forward to Hack the Army 2.0,” Lt. Gen. Stephen Fogarty, commanding general of Army Cyber Command, said in a statement. “Opening up the Army’s cyber terrain to the hacker community is exactly the type of outside-the-box, partnership approach we need to take to rapidly harden and better defend our most foundational weapons system: the Army network.”
The program is the second bug bounty that the Army has hosted through HackerOne. During the first, held in November and December 2016, 371 “white hat” hackers found 118 valid vulnerabilities and were awarded a total of around $100,000 for their discoveries.
It’s also the ninth bug bounty program that HackerOne has run at the Department of Defense. Led by DDS, the DOD has been super active in the bug bounty space since launching its first challenge, Hack the Pentagon, in 2016. Since then the agency has run a bunch of other bounties — Hack the Army, Hack the Air Force, Hack the Air Force 2.0, Hack the Air Force 3.0, Hack the Defense Travel System and Hack the Marine Corps. In total, HackerOne says, these programs have helped the DOD find and resolve 10,000 vulnerabilities.
HackerOne CEO Marten Mickos praised the Pentagon’s wholesale embrace of this kind of vulnerability testing.
“Powered by the Defense Digital Service, the DoD has established the most iterative and effective approach to cybersecurity in the modern era,” he said in a statement. “Every initiative serves as an example to private and public sector organizations worldwide when it comes to strengthening cybersecurity posture.”