The Army is launching a third edition of its “Hack the Army” bug bounty program, with a plan for increasing participation in the program and offering more targets to hack.
Hack the Army 3.0 is set to start Dec. 14 and run until Jan. 28, or until all funding has been doled out to winners. The Army didn’t specify how much money is available. Hack the Army 2.0 awarded $275,000 in late 2019.
The entire Army.mil domain can be targeted this time by participating white-hat hackers, but the Army said it will only pay for discoveries in certain categories of vulnerabilities. Other available targets include sign-on/authentication services and Army-owned VPNs.
The program, run in partnership with Defense Digital Services, Army Cyber Command and the company HackerOne, mirrors other bug bounty programs across the military. The Department of Defense has tried to expand bug bounty programs as a means to catch security vulnerabilities, with the Air Force going as far as wanting hackers to be able to “make a living” off their bug bounty programs.
“The bounties offer both military and civilian participants a unique way to serve their country, while providing an innovative and effective means of ‘crowdsourcing’ security solutions more quickly and economically than by developing similar solutions through more traditional methods,” the Army said in its release.
San Francisco-based HackerOne runs the platform for working with freelance hackers. The company recently earned Federal Risk and Authorization Management (FedRAMP) Tailored Low-Impact Software-as-a-Service (LI-SaaS) clearance for agencies to continue running bug bounties and vulnerability disclosure programs with its software.
All participants are background-checked and given legal authority to probe Army networks for vulnerabilities. The hackers are also required to use VPNs that log and track their activity.