Hack the Pentagon: First US government bug bounty programme opens for business

If you're not afraid of the Pentagon running a criminal background check on you, the department has some cash to fork out on security bugs in its public websites.
Written by Liam Tung, Contributing Writer

The Pentagaon is preparing for the first bug bounty program in the history of the federal government.

Hackers will soon be able to probe U.S. Department of Defense (DoD) systems for security bugs under a new pilot bug bounty program.

The DoD has now opened registrations for the US government's first commercial bug bounty under a one month pilot dubbed "Hack the Pentagon". The program will award hackers with cash for finding new security flaws in certain DoD systems.

The DoD announced last week that it will be partnering with HackerOne, a firm that coordinates bug disclosures and facilitates payments to hackers around the world. The firm recently landed Uber on its platform with rewards of up to $10,000 for ferreting out critical bugs.

The department flagged the program in March but still hasn't revealed exactly how much hackers will receive for finding different classes of bugs. Payments will come from $150,000 in funding for the program, though it's not clear how much of that fund has been allocated to awards.

While the DoD pilot emulates bug bounties run by Google, Facebook and Microsoft, there are a few differences that may cause some to baulk at participating.

Firstly, hackers won't be paid unless they submit to a "basic criminal background check to ensure tax dollars are spent wisely", according to the Pentagon.

Participants will be alerted prior to the screening and may opt-out of the process, however avoiding the background check will result in no compensation.

To join the pilot hackers will need to apply through HackerOne and submit signed tax documents.

The DoD hasn't yet revealed which DoD public websites hackers will be allowed to target, though it has clarified that "critical, mission-facing systems" are out of scope.

Defense is just testing the waters at this stage with the pilot program scheduled to run for less than a month between Monday April 18 and Thursday May 12. It's not clear if the pilot bounty will transform into an integral part of DoD's approach to online security.

The pilot is being led by the department's Defense Digital Service (DDS), a relatively new unit that is part of the White House's technology experts at the US Digital Service.

More on hacking

Editorial standards