Cybersecurity

Defense Department is offering $110,000 in bug bounties

The Pentagon is offering white hats cash prizes for finding vulnerabilities in its public-facing systems via HackerOne.
article cover

Representatives from US combatant commands, in partnership with the Joint Artificial Intelligence Center, conduct an exercise. (US Air Force Tech. Sgt. Tommy Grimes)

· 3 min read

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

The Pentagon is offering cash for clunkers—specifically, bounties for anyone able to detect bugs and other vulnerabilities across a broad range of public-facing websites and apps.

The Defense Department initiative, called Hack US, runs from July 4 to July 11 and is in partnership with HackerOne, one of the bug-hunting platforms it’s worked with for years as part of its outreach to white-hat hackers. The Register reported that the program, which is being run by three separate DoD departments including its Cyber Crime Center, will pay out around $75,000 in bounties on a first-come, first-served basis, while another $35,000 will fall into special categories.

The Pentagon is offering $500 or more for high-severity bugs and $1,000 or more for critical ones. Those who nail vulnerabilities in special categories, such as the best finding on each of the service branches’ domains, can score up to $5,000 a hit. (If the DoD deems a bug as only worthy of a low or medium severity CVSSv3 score, no prize is offered, but they'll add it to their bug tracker)

Government employees are eligible to participate in the program so long as they submit an official request to participate outside of their normal work hours.

HackerOne lists over 22,000 DoD-related reports as resolved over the years. As of Thursday afternoon, the Hack US page showed around 400 reports.

“This expanded program is intended to give security researchers terms and conditions for conducting vulnerability discovery activities directed at publicly accessible Department of Defense (DoD) information systems, including web properties, and submitting discovered vulnerabilities to DoD,” the program’s description reads.

In May, a DoD pilot program called the Defense Industrial Base-Vulnerability Disclosure Program, which was also run via HackerOne, found roughly 400 issues on sites and assets belonging to military contractors and other firms that comprise the defense industrial base.

HackerOne claims to have a base of hundreds of thousands of hackers, some of whom have reportedly made up to seven figures hunting down vulnerabilities at major companies, governments, and the military. It’s now popular enough that it has to worry about insider threats: Earlier this month, the company disclosed in a blog post that it had terminated an employee who it said had “improperly accessed security reports for personal gain…with the goal of claiming additional bounties.”

Bug-bounty programs in general are exploding, with analyst firm All the Research predicting the market to hit nearly $5.5 billion worldwide by  2027. North America is by far the largest market, at just shy of 50% in 2020, and is expected to remain so, the firm wrote.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.