The Defense Department undertook a significant expansion of its new crowdsourced approach to cybersecurity Monday, opening its “Hack the Pentagon” challenge to literally anyone and providing them a legal route to report any security holes they find.
The program differs somewhat from other ongoing hacking challenges in which the Defense Department offered bounties to groups of pre-vetted white hat hackers in penetration tests against specific DoD systems. The new, broader initiative doesn’t include any financial rewards, but does include a centralized portal to report security flaws on publicly-accessible Defense networks and sets out a new policy under which hackers can feel free to prod live systems for bugs without fear of prosecution.
“The Vulnerability Disclosure Policy is a ‘see something, say something’ policy for the digital domain,” Defense Secretary Ash Carter said in a statement. “We want to encourage computer security researchers to help us improve our defenses. This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security.”
Defense officials said the blanket disclosure policy, drawn up with help from the Justice Department’s criminal division, was the first of its kind in the federal government.
Under the policy, the Pentagon promises not to pursue legal action against hackers looking for holes in any public-facing DoD websites as long as they do no harm and report any vulnerabilities they find. DoD also promises to vouch for white-hat hackers in the event they’re prosecuted or sued by someone else for testing Defense systems.
It does not give them carte blanche, however. The department will consider them in violation of the policy if they pursue spearphishing attacks against DoD employees — even with good intentions — test systems via denial of service attacks, remove any data from Defense networks or take any action to publicize the security flaws they’ve found. The department could also deem someone to have run afoul of the policy if they flood the system with a large number of “low quality” bug reports.
HackerOne, a company that specializes in bug bounties, is running the new online portal for bug reporting as part of $7 million in contracts DoD awarded to HackerOne and Synack to expand its hacking contests last month. Officials said they would try to publicly recognize security researchers for finding bugs — if that’s their desire — whenever possible.
Also on Monday, the Army began accepting applications from up to 500 hackers to participate in its own version of the Hack the Pentagon challenge. The “Hack the Army” program, also coordinated through HackerOne, will offer cash payments for the discovery of verifiable security holes and will focus on “operationally significant” recruiting and personnel websites run by Army Human Resources Command.
“Security of these foundational systems is incredibly important to me, and security is everyone’s responsibility,” Secretary of the Army Eric Fanning said in a statement. “We need as many eyes and perspectives on our problem sets as possible and that’s especially true when it comes to securing the Army’s pipeline to future Soldiers.”
Officials said the Army initiative is the largest of the bug bounties the military has run to date. It is also the first DoD hacker challenge to be open to military members and federal civilians, although they’re not eligible for bounties.
The bug bounty will start on Nov. 30 at noon and end by Dec. 21, officials said.