Army fires up bug bounty program
- By Sean D. Carberry
- Nov 16, 2016
Following the Pentagon’s successful bug bounty program, the Army has announced its own "Hack the Army" initiative to tighten up security on its public-facing websites.
"What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation's security but lack an avenue to do so," said Army Secretary Eric Fanning when announcing the new initiative in Austin, Texas, on Nov. 11.
"There are people all over the world that are trying to get access to our sites, our data, our information, and we have a very well trained, incredibly capable team in the military, in the Department of Defense, but it's not enough," said Fanning. "The more different sets of eyes, more different teams…that we can bring to this problem, the more secure we're going to feel about our information."
The challenge is expected to involve public-facing recruiting sites that contain dynamic data, rather than the static data sites that were hacked in the DOD bounty program, Fanning said.
"This is dynamic content, this is where we're gathering personal information from people who want to join the Army and people who are in the Army, and we want to make sure that that information is secure," said Fanning.
Another change from the DOD bounty program is that Hack the Army will be open to members of the military -- active and reserve components -- as well as government civilians. The DOD program was open only to private civilians who passed through a security clearance.
Like its DOD predecessor, the Army bounty is being administered in partnership with HackerOne. The Hack the Pentagon competition attracted some 1,400 participants who generated more than 1,000 vulnerability reports -- 138 were resolved and the hackers received tens of thousands of dollars of prize money in return.
Fanning said that the Army bug bounty is part of the broader effort to make it easier for private industry to do business with the Pentagon. "We recognize that we can't continue to do business the way that we are and that we're not agile enough to keep up with a number of things in the tech world," said Fanning.
The Army will reveal the sites available to be hacked by participants in the coming weeks.
Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.