Hack The Pentagon, Legally

The United States Department of Defense just launched the world’s first government-funded bug bounty program named HackThePentagon. Following the example of Facebook, Google, and other big US companies, the DoD finally provides “a legal avenue for the responsible disclosure of security vulnerabilities”.

However, breaking into the Pentagon’s weapon programs will still get you in trouble. This pilot program has a very limited scope of the Pentagon’s cafeteria menu some non-critical systems and is open only between April 18 and May 12 this year. In total, about $150,000 of bounties may be rewarded to responsible hackers.

Anyone can take part in the program, but to receive financial rewards, you need to fulfill a list of criteria. Your profile will undergo a criminal background check and certain restrictions based on your country of residence may apply. Also, to hack into the government’s computer system and get a tax return, you must be a US taxpayer in the first place.

Even though this framework turns the initiative more into one-month hacking contest than a permanently installed bug bounty program, it is certainly a good start. The program itself is hosted on HackerOne, a platform that aims to streamline the process of distributing bug bounties.

26 thoughts on “Hack The Pentagon, Legally

  1. Not so sure this is a good idea. I bet it will be difficult for some contestants to stop once they identify a vulnerability. I guess if this is a honeypot, then it’s safe, but then that’s not really “The Pentagon” is it?

    1. I am not a hacker, but this is exactly the first thing that came to mind.

      This is like asking hackers to volunteer their personal information.

      I guess it is still possible to use a surrogate or a proxy. For 150,000, it’s probably still worth it.

  2. The first time I saw this my first thought was immediately, it’s either a trap or a recruitment exercise. Why can’t they just post puzzles like GCHQ I think they are literally asking for trouble. :D

      1. Seems like a good solution :D
        “HackerOne reserves the right to change or modify the terms of this program at any time. If accepted to participate in this challenge, please check back often for any updates to this program.”

  3. “In connection with your participation in this program you agree to comply with all applicable federal, state, and local laws.”

    How is that gonna work? Most likely hacking the Pentagon violates at least one law in the USA…

    1. Accessing without authorization is illegal. Accessing WITH authorization is not illegal. This exercise is granting explicit authorization (given proper registration, yada yada) in an environment that merely simulates illegal intrusion. Otherwise professional pen testers would regularly go to prison for doing their jobs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.