SAN FRANCISCO—The Pentagon is inviting hackers to hunt down vulnerabilities in select Defense Department websites through a new “bug bounty” initiative announced March 2.
Private companies such as Google [GOOG], Tesla Motors [TSLA] and Adobe Systems [ADBE] have used bug bounty competitions to tease out vulnerabilities in its own code, ultimately resulting in a more secure system.
The department plans to employ a similar process for its own “Hack the Pentagon” pilot program, the first ever bug bounty competition ever created by the federal government. Defense Digital Service—the Pentagon’s arm of a White House technology team—will lead the effort, which will involve vetting applicants, setting ground rules and then ultimately letting hackers loose in the hopes of finding security flaws that can then be mended.
In a statement, Defense Secretary Ashton Carter said the initiative would strengthen the Pentagon’s digital defenses.
The department has not yet selected which public websites, networks or applications will serve as the target for the program, which is slated to launch this April. However, weapon systems, secure or classified websites and networks, and any site that hosts personally identifiable information will not be considered, at least not in this iteration of the program, senior defense officials told reporters.
“The goal is not to compromise any aspect of our critical systems but to still challenge our cyber security in a new and innovative way,” a senior defense official said. “This is a pilot program. This is a starting point. We don’t want to predict where this may go in the future.”
While the Pentagon and military services have used homegrown “red teams” of its own cyber employees to try to exploit its networks, one advantage of the bug bounty program is that it could link the department with technology experts and coding enthusiasts who normally wouldn’t work with the government.
“Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country,” Chris Lynch, DDS director and entrepreneur who has founded a handful of tech companies, said in a statement.
A second senior defense official anticipated “thousands” of applicants. Those considered for the program will have to prove U.S. citizenship and go through a background check and vetting process to ensure they have no criminal history.
The details of the vetting process and potential awards—which could include monetary compensation—are still being finalized. However, the official stressed that the competition would not increase the risk to the department’s cyber infrastructure.
“We’re constantly under attack. I can’t possibly emphasize that any more,” the official said “Our systems and our networks are constantly being attacked here. Nobody who is a bad guy is waiting for us to introduce a bug bounty to go after a DoD asset…They’re literally going after the systems that are publicly exposed right now.”
Intruders have breached Pentagon networks and websites a number of times, including the hackings of the Joint Chiefs of Staff email network and U.S. Central Command social media websites in 2015.