US DoD announces bug bounty programme
Opening in April 2016, the US DoD will open a bug bounty programme to try and crowdsource the security of their public facing websites and internal networks.
The United States Department of Defence (DoD) has announced it is opening a bug bounty programme, in a bid to boost the security of networks and public facing websites.
Officially inviting hackers to the programme in a press release the defence bods are dubbing it “the first cyber bug bounty program in the history of the federal government”.
Opening in April 2016, the DoD is asking hackers to target its networks as well as the public facing websites which are managed by the DoD as the department looks to ‘crowdsource' its vulnerability testing.
“This innovative project is a demonstration of Secretary Carter's continued commitment to drive the Pentagon to identify new ways to improve the department's security measures as our interests in cyber space evolve.”
Unfortunately, the “Hack the Pentagon” program is currently only open to US citizens, but the Pentagon are saying that participants could win cash rewards and recognition for their work. The DoD is yet to confirm what the actual bounty will be upon successful penetration of its network or web pages.
To take part in the program, hackers will need to undergo a background check, and to ensure no one is targeting critical DoD infrastructure, hackers will be given a predetermined system the DoD would like them to hack and a set amount of time to carry out the hack in.
According to Chris Lynch, Director of Defence Digital Service that's actually behind the "Hack the Pentagon" initiative, "Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country."
The DoD currently manages 448 websites related to several military units, combine this with the OPM breach which saw PII of 21.5 million US government employees, the hacking of FBI systems which saw at least 20,000 agents' details stolen and the regular cyber attacks conducted on Pentagon systems, it is easy to see why it could use a few more helping hands to help protect endangered state secrets and boost security measures to counter cyber attacks.
This could be seen as a positive change from the DoD which normally audits itself internally - the new initiative could bring fresh eyes on keeping DoD infrastructure safe. The DoD will provide more details on requirements for participation and other ground rules in the coming weeks.
Monzy Merza, Chief Security Evangelist and Director of Cyber Research at Splunk commented, "The DoD already has mature red teams and offensive cyber capabilities. Bug bounty programs are fairly common in the technology industry. This DoD program will strengthen DoD deployments, exercise blue team capabilities, and shine a light on those who build the DoD's Internet presence.”
He went on to explain that, “Bug bounty programs typically pay for performance, thus this is a good precedent to reduce the contracting friction in doing business with the DoD. As the bug bounty program becomes more successful, the DOD will enhance its IT environments to include greater degrees of visibility and automation. Like most organisations, the DoD is challenged with human resource shortages for cyber defenders and this program may also serve as a recruiting tool."