The United States Department of Defense just launched the world’s first government-funded bug bounty program named HackThePentagon. Following the example of Facebook, Google, and other big US companies, the DoD finally provides “a legal avenue for the responsible disclosure of security vulnerabilities”.
However, breaking into the Pentagon’s weapon programs will still get you in trouble. This pilot program has a very limited scope of the Pentagon’s cafeteria menu some non-critical systems and is open only between April 18 and May 12 this year. In total, about $150,000 of bounties may be rewarded to responsible hackers.
Anyone can take part in the program, but to receive financial rewards, you need to fulfill a list of criteria. Your profile will undergo a criminal background check and certain restrictions based on your country of residence may apply. Also, to hack into the government’s computer system and get a tax return, you must be a US taxpayer in the first place.
Even though this framework turns the initiative more into one-month hacking contest than a permanently installed bug bounty program, it is certainly a good start. The program itself is hosted on HackerOne, a platform that aims to streamline the process of distributing bug bounties.
Hack the INSERT MOVIE REFERENCE HERE
Not so sure this is a good idea. I bet it will be difficult for some contestants to stop once they identify a vulnerability. I guess if this is a honeypot, then it’s safe, but then that’s not really “The Pentagon” is it?
Seems like a pretty good way for the pentagon to identify/generate a list of hackers and then rate them based on skills/capabilities. Couple that with mandatory background checks. Is this a list you want to be on? What if you slip up and go too far by mistake?
They’ll either offer you a Government Job, or Government “Housing”. Either way, you know what you’ll be doing for the rest of your life.
I am not a hacker, but this is exactly the first thing that came to mind.
This is like asking hackers to volunteer their personal information.
I guess it is still possible to use a surrogate or a proxy. For 150,000, it’s probably still worth it.
The first time I saw this my first thought was immediately, it’s either a trap or a recruitment exercise. Why can’t they just post puzzles like GCHQ I think they are literally asking for trouble. :D
The solution, take the James Tiberius Kirk approach to the Kobayashi Maru, hack the site containing the rules :D
Seems like a good solution :D
“HackerOne reserves the right to change or modify the terms of this program at any time. If accepted to participate in this challenge, please check back often for any updates to this program.”
Wasn’t this the premise of The Last Starfighter?
Hack the Pentagon at their own invitation? Wow that really sounds like a great idea. I’ll get right on it.
It’s a TRAP!
The list of requirements shouldn’t be too difficult to arrange _after_ breaking in.
wannabes will be all over this, but I cant help but wonder what the governments opinion of hackers will be. surely they dont believe this will actually work do they?
Dang, I don’t remember who I spoke with that granted my username access to all the DoD shared drives…does that qualify as a hack?
s/Pentagon/Gibson/g
Yeah, what he sed!
This is a completely disingenuous attempt at securing their systems.
I bet Chinese hackers get their “prizes” all the time for finding bugs in Pentagon security. And I bet its a lot more than the total that is offered by Pentagon.
dont help them do shit ever.
“In connection with your participation in this program you agree to comply with all applicable federal, state, and local laws.”
How is that gonna work? Most likely hacking the Pentagon violates at least one law in the USA…
Accessing without authorization is illegal. Accessing WITH authorization is not illegal. This exercise is granting explicit authorization (given proper registration, yada yada) in an environment that merely simulates illegal intrusion. Otherwise professional pen testers would regularly go to prison for doing their jobs.
Hmm… Right after DARPA offers bounties for homebrew bomb designs. Wouldn’t recommend exposing yourself like this.
This is delusional. They will pat themselves on the back when the white hats don’t get in after 24 days. Let’s forget that the black hats come in teams (droves?), can spend years, and don’t play nice.
HONEYPOT! Danger Danger – Stay Away!
:) la atac
DOE has or recently had a similar program. Get past the cyber security of a national lab. IIRC, most attacks originate from the US anyway.