The U.S. Army Cyber Command (ARCYBER) in association with the Defense Digital Service (DDS), the Army Network Enterprise Technology Command, and HackerOne, has launched “Hack the Army 3.0” bug bounty program. The bug hunting is set to begin on December 14, 2020 and is slated to last until January 28, 2021 or until allocated funds (of $100,000) are exhausted.
“Hack the Army” Bug Bounty Program
The U.S. Army initiated this program in late 2016, following the launch of DoD’s Hack the Pentagon program that was facilitated by the DDS earlier that year. The first edition of Hack the Army challenge identified 118 unique and valid vulnerabilities from the 416 that were reported. A total of $100,000 was awarded in bounties to hackers for their legitimate findings. Nearly 400 hackers from around the world participated in this challenge, including government employees and military personnel.
The second edition of the challenge which included more than 60 publicly accessible Army web assets for penetration, saw more than 145 security vulnerabilities being identified. The army awarded a total cash prize of $275,000 in bounties, with the single largest bounty costing $20,000.
Primary Objective of the Program
According to HackerOne, which is responsible for running the program, this exercise primary serves four objectives:
- The Army wants to build bridges to the private sector and talented Hackers by “putting their money where their mouth is.”
- Make use of a diverse talent pool, many of whom would otherwise not work with the Army.
- Augment the incredible work the Army red teams and DDS workforce is already doing to help secure their systems and networks.
- Step-up mission-oriented systems’ and networks’ security.
A statement from the Army read: “The bug bounties aim to evolve the security of DoD and Army networks, systems and data by allowing skilled civilian and military security researchers to perform specific techniques against select public-facing websites, to find vulnerabilities in those sites.”
“This is an effort for DoD to explore new approaches to its security, and to adopt the best practices used by the most successful and secure software companies in the world. By doing so, the Army can ensure U.S. systems are as secure as possible.”
ARCYBER officials are hopeful of increased participation by military members and are finding ways to frequently conduct more bug bounty programs like these in the future.
Interested candidates can apply for the DoD Bug Bounty Challenge “Hack the Army 3.0” here.