Statement by Pentagon Press Secretary Peter Cook on DoD’s Partnership with HackerOne on the “Hack the Pentagon” Security Initiative
Release No: NR-113-16
March 31, 2016
The Department of Defense (DoD) announced today that interested participants may now register to compete in the “Hack the Pentagon” pilot. The pilot, designed to identify and resolve security vulnerabilities within DoD websites through crowdsourcing, is the first bug bounty program in the history of the federal government. DoD is partnering with HackerOne, a reputable Bug Bounty-as-a-service firm based out of Silicon Valley, to run the Hack the Pentagon pilot over the next several weeks.
The Hack the Pentagon bug bounty pilot will start on Monday, April 18 and end by Thursday, May 12. Qualifying bounties will be issued by HackerOne no later than Friday, June 10. The program will target several DoD public websites which will be identified to the participants as the beginning of the challenge approaches. Critical, mission-facing computer systems will not be involved in the program.
HackerOne has set up a registration site for eligible participants. Eligible participants must be a U.S. person, and must not be on the U.S. Department of Treasury’s Specially Designated Nationals list, a list of people and organizations engaged in terrorism, drug trafficking and other crimes; U.S. citizens and companies are prohibited from doing business with listed entities. In addition, successful participants who submit qualifying vulnerability reports will undergo a basic criminal background screening to ensure taxpayer dollars are spent wisely. Screening details will be communicated in advance to participants, and participants will have the ability to opt-out of any screening, but will forgo bounty compensation.
The registration site is now live and can be accessed at https://hackerone.com/hackthepentagon.
The Hack the Pentagon pilot is modeled after similar challenges conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products, and digital services. By providing a legal avenue for the responsible disclosure of security vulnerabilities, bug bounties engage the hacker community to contribute to the security of the Internet.
Individual bounty payments will depend on a number of factors, but will come from the $150,000 in funding for the program.
“This initiative will put the department’s cybersecurity to the test in an innovative but responsible way,” said Secretary Carter. “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”
The “Hack the Pentagon” initiative is being led by the department’s Defense Digital Service (DDS), launched by Secretary Carter last November. The DDS, an arm of the White House’s dynamic cadre of technology experts at the U.S. Digital Service, includes a small team of engineers and data experts meant to improve the department’s technological agility.
Hack the Pentagon Bug Bounty Program Launches on HackerOne
Hack the Pentagon?! On Thursday, March 31, 2016, the Department of Defense, arguably the world’s most powerful organization, announced it will partner with HackerOne for the “Hack the Pentagon” pilot program. For many outside of tech, this may sound implausible, crazy and maybe even irresponsible. Let’s look at how technology has evolved to the point where even the U.S. government is asking hackers to take their best shot.
It turns out that neighborhood watch works. One of the most effective ways of finding bugs is to ask those in the community to look for and report vulnerabilities to you.
Not long ago, an individual who found a security vulnerability in a company’s software could find themselves in court for trying to report that bug to a company. Over time, attitudes have shifted significantly. What was a risky hobbyist activity is now a viable and enviable career opportunity. Instead of legal gag orders, hackers are receiving invitations from companies to come hack them. The rewards paid make the best hackers wealthy.
There are good reasons for this shift in attitude. Our increasing reliance on technology is causing our collective attack surface to grow faster than we can keep up with. Cybercriminals are getting more sophisticated. The cost of a breach is becoming unbearable, resulting in stolen personally identifiable information, business disruption, damaged brands and the firing of executives. At the same time, finding vulnerabilities requires people with highly specialized skills and experience, and no company can hire all the best minds in security. So companies are turning to the public, inviting the best and brightest hackers to help them. Bug bounty programs have become the answer.
At least 20 years old, the bug bounty concept was started by Netscape which called on its technical customer base to share bugs they found in exchange for rewards. It spread from there to other large makers of software like Mozilla, Google, Facebook and Microsoft. Today, bug bounty programs, and more generally vulnerability coordination programs, have become a best practice for any organization that needs to stay secure – and now that includes the Pentagon.
The majority of the world’s companies did not start out as software companies running agile development processes. They started out in manufacturing, automotive, retail, banking and myriad other industries. But now every company is a software company. And with this shift, all companies must adopt best practices in software development, which include activating the worldwide hacker community to find and report vulnerabilities in their connected software before criminals can exploit them.
In the networked economy, help is just one click away when you have a “security@” email inbox to receive vulnerability reports from the public. The Department of Defense is in good company; just this January, General Motors launched its public vulnerability coordination program, inviting hackers to report flaws found in their web properties and vehicles. A little earlier a bug bounty program was launched for the wifi-enabled Barbie doll. Just recently, Uber opened up its program to the public, and launched a loyalty program for hackers.
No organization is so powerful that it does not need outside help in identifying its bugs. And furthermore, to be fully powerful, we must admit the presence of vulnerabilities. Only then can they be identified and fixed, and we can all become more secure.
Thousands of white hat hackers stand ready to help those who are both willing to invite, and ready to accept, help. We’ve entered the era of the global neighborhood watch. It’s working, and it’s making the Internet more secure.
– Mårten Mickos
Hack the Pentagon | Policy
Thank you for your interest in participating in HackerOne’s Department of Defense (DoD) “Hack the Pentagon” pilot–the first ever U.S. Government commercial Bug Bounty program. This is an effort for the Government to explore new approaches to its cybersecurity challenges, and evolve to adopt the best practices used by the most successful and secure software companies in the world, the DoD can ensure U.S. systems and warfighters are as secure as possible.
The Hack the Pentagon Bug Bounty Pilot will start on Monday, April 18, 2016 and end on Thursday, May 12, 2016.
If you have information related to security vulnerabilities in the online services listed in scope below, we want to hear from you! We value the positive impact of your work and thank you in advance for your contribution. Please review all the participation and payment eligibility rules before you report a vulnerability. By participating in this pilot, you agree to be bound by all program rules.
Participation and Payment Eligibility
Individuals are eligible to participate only upon meeting ALL of the following conditions:
- You must have successfully registered as a participant through this security page.
- You must have a U.S. taxpayer identification number and a social security number or an employee identification number and the ability to complete required verification forms.
- You must be eligible to work within the U.S.; meaning you are a U.S. citizen, a noncitizen national of the U.S., a lawful permanent resident, or an alien authorized to work within the U.S.
- You must not reside in a country currently under U.S. trade sanctions.
- You must not be on the U.S. Department of the Treasury’s Specially Designated Nationals list.
With the exception of United States Digital Service (USDS) personnel, who obtain the express approval of your supervisor to participate in the program as part of your official U.S. Government duties, U.S. Government employees and Active Duty military members, and current or former employees and contractors of the Defense Media Activity are not eligible to participate in this challenge. USDS personnel are ineligible to receive payment. U.S. Government contractors are eligible to participate and receive payment.
If you submit a qualifying, validated vulnerability, you may be eligible to receive an award, pending a security check. Specific information on payment eligibility will be provided upon acceptance into the program.
You may NOT participate in this challenge unless you comply with the relevant participation requirements described above.
In connection with your participation in this program you agree to comply with all applicable federal, state, and local laws. HackerOne reserves the right to change or modify the terms of this program at any time. If accepted to participate in this challenge, please check back often for any updates to this program.
By clicking “Apply Here” to participate in this Hack the Pentagon Bug Bounty Pilot challenge, you are confirming that you have read and understand, and agree to be bound by, these rules and restrictions, that you meet all eligibility requirements listed above, and that you understand that if you are not in compliance with these rules and restrictions you may be subject to civil and/or criminal liability. Source: http://www.defense.gov/News/News-Releases/News-Release-View/Article/709818/statement-by-pentagon-press-secretary-peter-cook-on-dods-partnership-with-hacke
Filed under: Cyber, Hacking/Deface, Security | Tagged: Bug Bounty, Cybersecurity, DOD, Hack the Pentagon, HackerOne, HackerOne’s Department of Defense (DoD), Legal, Pentagon Bug Bounty, U.S. Government commercial Bug Bounty program |