Statement by Pentagon Press Secretary Peter Cook on DoD's Partnership with HackerOne on the "Hack the Pentagon" Security Initiative
The Department of Defense (DoD) announced today that interested participants may now register to compete in the "Hack the Pentagon" pilot. The pilot, designed to identify and resolve security vulnerabilities within DoD websites through crowdsourcing, is the first bug bounty program in the history of the federal government. DoD is partnering with HackerOne, a reputable Bug Bounty-as-a-service firm based out of Silicon Valley, to run the Hack the Pentagon pilot over the next several weeks.
The Hack the Pentagon bug bounty pilot will start on Monday, April 18 and end by Thursday, May 12. Qualifying bounties will be issued by HackerOne no later than Friday, June 10. The program will target several DoD public websites which will be identified to the participants as the beginning of the challenge approaches. Critical, mission-facing computer systems will not be involved in the program.
HackerOne has set up a registration site for eligible participants. Eligible participants must be a U.S. person, and must not be on the U.S. Department of Treasury's Specially Designated Nationals list, a list of people and organizations engaged in terrorism, drug trafficking and other crimes; U.S. citizens and companies are prohibited from doing business with listed entities. In addition, successful participants who submit qualifying vulnerability reports will undergo a basic criminal background screening to ensure taxpayer dollars are spent wisely. Screening details will be communicated in advance to participants, and participants will have the ability to opt-out of any screening, but will forgo bounty compensation.
The registration site is now live and can be accessed at https://hackerone.com/hackthepentagon
The Hack the Pentagon pilot is modeled after similar challenges conducted by some of the nation's biggest companies to improve the security and delivery of networks, products, and digital services. By providing a legal avenue for the responsible disclosure of security vulnerabilities, bug bounties engage the hacker community to contribute to the security of the Internet.
Individual bounty payments will depend on a number of factors, but will come from the $150,000 in funding for the program.
"This initiative will put the department's cybersecurity to the test in an innovative but responsible way," said Secretary Carter. "I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot."
The "Hack the Pentagon" initiative is being led by the department's Defense Digital Service (DDS), launched by Secretary Carter last November. The DDS, an arm of the White House's dynamic cadre of technology experts at the U.S. Digital Service, includes a small team of engineers and data experts meant to improve the department's technological agility.