Following the success of the “Hack the Pentagon” bug bounty pilot project, the Department of Defense (DoD) unveiled two new initiatives on Nov. 21 to further improve department cybersecurity: the Digital Vulnerability Disclosure Policy and Hack the Army.
Bug bounty programs allow registered hackers to identify perceived vulnerabilities in a network and submit a report. If the vulnerabilities are determined to be legitimate, the hackers are eligible for a financial bounty or payment.
The first initiative is a new policy concerning the identification of network vulnerabilities. Starting Nov. 22 the Digital Vulnerability Disclosure Policy provides a legal way for security researchers to find and disclose vulnerabilities in any public-facing DoD systems.
“The Vulnerability Disclosure Policy is a ‘see something, say something’ policy for the digital domain. We want to encourage computer security researchers to help us improve our defenses,” Secretary of Defense Ashton Carter said in a statement.
“This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security,” he added.
DoD consulted with the Department of Justice’s Criminal Division while developing it. Assistant Attorney General Leslie Caldwell called this “a laudable way to help computer security researchers use their skills in an effective, beneficial, and lawful manner to reduce security vulnerabilities.”
The department also unveiled the opening of registration for its next bug bounty program, Hack the Army. Modeled after the earlier Hack the Pentagon pilot, this program will be focused on more operationally relevant websites, including those that affect recruiting. The Defense Digital Service, which led the earlier pilot, is partnering with the Army in this program.
Secretary of the Army Eric Fanning first announced this program in October. “We need as many eyes and perspectives on our problem sets as possible and that’s especially true when it comes to securing the Army’s pipeline to future Soldiers,” he said in a statement at the time.
The department expects about 500 hackers to participate in the new bug bounty challenge and they will be eligible to receive thousands of dollars in rewards.