Attack Surface Management , Government , Industry Specific

Pentagon Looking for a Few Good Hackers

Bug Bounty Program an Experiment in Continuous Rewards for White Hats
Pentagon Looking for a Few Good Hackers

Cash rewards await white hat hackers in an experimental bug bounty program launched on American Independence Day by the U.S. Department of Defense.

See Also: Enhancing Cyber Defense with AI-Powered SOCs

The Pentagon has tinkered since 2016 with accepting vulnerability reports from security researchers, recently crediting researchers with the closure of more than 6,000 vulnerabilities on public internet-facing military IT systems during 2021, alone.

This newest pilot program, launched with vulnerability disclosure partner HackerOne, isn't the first time the military has offered to pay researchers for exploits, but it is the first to contemplate offering continuous rewards, the San Francisco-based company tells Information Security Media Group.

The pilot program has a cash pool of $110,000, with $75,000 earmarked for first-submitted, first-awarded high- and critical-severity findings, and $35,000 kept for awards such as the best finding on the domain.

The program runs through Monday. Its announcement comes shortly after the closure of a yearlong test run by HackerOne of bug bounties made with a few dozen volunteer companies from the defense industrial base.

Hackers are "uniquely well-equipped" to find vulnerabilities that other automated scanning and AI tools fail to detect, Alex Rice, HackerOne co-founder and chief technology officer, tells ISMG, noting that the DoD has long recognized the benefits of working with hackers.

Bug bounties moved into the mainstream over the past decade, particularly as major technology companies, including Google, Facebook and Microsoft, have set up programs to accept unsolicited reports from outside researchers. A common criticism is that legitimate rewards for responsible disclosure are outstripped by what the open market offers for vulnerabilities.

HackerOne's stance is that money isn't the overriding motivation for all hackers. A recent company survey concluded that while bounties motivate about three-quarters of hackers, more than 8 in 10 say they also participate in bounty programs to expand their skills. More than 6 in 10 say bounties help advance their careers.

"Most people are generally good and would never engage in criminal behavior," Rice says.

July 7, 2022 08:21 UTC: This story has been updated to include additional responses from HackerOne.

About the Author

Brian Pereira

Brian Pereira

Sr. Director - Editorial, ISMG

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.