This post is also available in: עברית (Hebrew)
The US Defense Department announced recently that the Pentagon has approved hackers to test the cybersecurity of its public websites without fear of prosecution. Any hackers who promise to “do no harm” can attempt to hack into the Defense Department’s many public websites as long as they report any potential security vulnerabilities directly to Pentagon officials. This has been an expansion of a pilot program launched earlier this year known as “Hack the Pentagon,” defense officials announced. The program marks the first time a federal agency has asked for public assistance in protecting its websites from threats and is backed by the Department of Justice.
Defense Secretary Ash Carter explained: “We want to encourage computer security researchers to help us improve. This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security.”
Carter launched the initial “Hack the Pentagon” bug bounty challenge in April. The month long initiative allowed about 1,400 hackers approved by the Pentagon to test five Defense Department websites for security vulnerabilities that could have allowed malicious attacks where personal information could have been stolen, or where hackers could have hijacked the website to force it to post unauthorized content. The hackers discovered 138 vulnerabilities, and the Defense Department paid them a total of $75,000 for their efforts.
This time, seeing as no money will be given, Pentagon officials hope hackers will challenge Defense Department websites’ security as a public service.
According to millitary.com, another Defense Department bug bounty program started recently – “Hack the Army”. The initiative asks vetted hackers to find vulnerabilities in some of the Army’s non-public web applications in exchange for reward money.
Army Secretary Eric Fanning announced the new bounty program earlier this month. He vowed in his statement to continue to expand cybersecurity and find additional ways for the public to help the Pentagon secure its websites. Additional bug bounty programs through the other military services are expected in the future, according to the Defense Department.