The Department of Defense wants more of you to hack the Pentagon
The US Department of Defense has revealed plans to expand the Hack the Pentagon bug bounty program in an effort to eradicate as many security flaws as possible.
Hack the Pentagon, hosted by HackerOne, was a pilot scheme which ran from April 18 to May 12 this year, asking security researchers to sign up and find security flaws in US government web domains.
Security
While no sensitive systems were included, the program turned out to be worthwhile, as over 1,400 security researchers contributed to the pilot program.
In total, 138 vulnerabilities submitted were considered to be "legitimate, unique and eligible for a bounty," Defense Secretary Ash Carter says. Payouts ranging from approximately $100 to $15,000 were awarded by the agency.
According to Carter, the program was a "considerable success" and has allowed the department to "build stronger bridges to innovative citizens who want to make a difference to our defense mission."
The program cost the US DoD $150,000 -- but hiring a security firm to conduct the same tests and find vulnerabilities would have raised the bill to over $1 million.
As a more cost-effective alternative, the US government has decided to expand the Hack the Pentagon scheme. Originally, the bug bounty program only covered five public-facing websites: defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil, however, the DoD has announced plans to include "other parts of the department" in the near future.
A DoD spokesperson said:
"Although the pilot was a success, it only tested the crowdsourced security concept against public-facing websites. We believe the concept will be successful when applied to many or all of DoD's other security challenges."