Pentagon Looking for a Few Good HackersBug Bounty Program an Experiment in Continuous Rewards for White Hats
Cash rewards await white hat hackers in an experimental bug bounty program launched on American Independence Day by the U.S. Department of Defense.
The Pentagon has tinkered since 2016 with accepting vulnerability reports from security researchers, recently crediting researchers with the closure of more than 6,000 vulnerabilities on public internet-facing military IT systems during 2021, alone.
This newest pilot program, launched with vulnerability disclosure partner HackerOne, isn't the first time the military has offered to pay researchers for exploits, but it is the first to contemplate offering continuous rewards, the San Francisco-based company tells Information Security Media Group.
The pilot program has a cash pool of $110,000, with $75,000 earmarked for first-submitted, first-awarded high- and critical-severity findings, and $35,000 kept for awards such as the best finding on the army.mil domain.
The program runs through Monday. Its announcement comes shortly after the closure of a yearlong test run by HackerOne of bug bounties made with a few dozen volunteer companies from the defense industrial base.
Hackers are "uniquely well-equipped" to find vulnerabilities that other automated scanning and AI tools fail to detect, Alex Rice, HackerOne co-founder and chief technology officer, tells ISMG, noting that the DoD has long recognized the benefits of working with hackers.
Bug bounties moved into the mainstream over the past decade, particularly as major technology companies, including Google, Facebook and Microsoft, have set up programs to accept unsolicited reports from outside researchers. A common criticism is that legitimate rewards for responsible disclosure are outstripped by what the open market offers for vulnerabilities.
HackerOne's stance is that money isn't the overriding motivation for all hackers. A recent company survey concluded that while bounties motivate about three-quarters of hackers, more than 8 in 10 say they also participate in bounty programs to expand their skills. More than 6 in 10 say bounties help advance their careers.
"Most people are generally good and would never engage in criminal behavior," Rice says.
July 7, 2022 08:21 UTC: This story has been updated to include additional responses from HackerOne.