Active U.S. military, federal civilians and individuals invited by HackerOne can participate in the service’s second bug bounty.
The Army kicked off its second bug bounty competition yesterday, according to a press release, offering hundreds of thousands of dollars to white-hat hackers able to find vulnerabilities in the service’s public-facing systems.
For the service’s second “Hack the Army,” a mix of federal civilians, active U.S. military and certain invited individuals will scour more than 60 publicly accessible web assets for vulnerabilities until Nov. 8. The top three U.S.-based hackers will be invited to participate in a team competition and awards ceremony at the end of the competition.
“Opening up the Army’s cyber terrain to the hacker community is exactly the type of outside-the-box, partnership approach we need to take to rapidly harden and better defend our most foundational weapons system: the Army network,” Lt. Gen. Stephen Fogarty, Army Cyber Command’s commanding general, said in a statement.
The Defense Department and its partners, HackerOne and the Defense Digital Service, have run nine bug bounty competitions since 2016. For the inaugural program, “Hack the Pentagon,” hackers uncovered 1,189 bugs and received about $75,000 in bounties. The Army was the first service to adopt the program, and the first bug was found within five minutes. In 2017, a 17-year-old scored the biggest bounty to date during “Hack the Air Force.”
Since then, lawmakers have pushed other agencies—including the Homeland Security and State departments—to adopt bug bounty programs. Critics, however, say the funds that pay for bug bounties may be better invested in agencies’ IT teams to remediate the backlog of known vulnerabilities.