Army announces bug bounty program
Based on the "Hack the Pentagon" bug bounty program, the Army's effort will let military personnel and government civilians find vulnerabilities in the Army's recruiting websites.
That old Army slogan, "We Want You!" is taking on a new form. Now, the Army is saying, "We Want You -- to Hack Us!"
A few months after the Pentagon wrapped up its first bug bounty program, the Army, in coordination with the Defense Digital Service, is following suit with a newly announced "Hack the Army" program.
"What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation's security but lack an avenue to do so," said Army Secretary Eric Fanning when announcing the new initiative in Austin, Texas, on Nov. 11.
Fanning said that these bug bounty programs allow white hat hackers the opportunity to help make the DOD and now the Army's digital systems more secure.
The Army will reveal the sites available to be hacked by participants in the coming weeks. Fanning said to expect the challenge to involve public facing recruiting sites that contain dynamic data, rather than the static data sites that were hacked in the DOD bounty program.
"This is dynamic content, this is where we're gathering personal information from people who want to join the Army and people who are in the Army, and we want to make sure that that information is secure," said Fanning.
"These assets have deep ties to the Army's core operations, [and] as Secretary of the Army, the security of these foundational systems is incredibly important to me," Fanning added.
"There are people all over the world that are trying to get access to our sites, our data, our information, and we have a very well trained, incredibly capable team in the military, in the Department of Defense, but it's not enough," said Fanning. "The more different sets of eyes, more different teams…that we can bring to this problem, the more secure we're going to feel about our information."
Another change from the DOD bounty program is that Hack the Army will be open to members of the military -- active and reserve components -- as well as government civilians. The DOD program was open only to private civilians who passed through a security clearance.
Like its DOD predecessor, the Army bounty is being administered in partnership with HackerOne. The Hack the Pentagon competition attracted some 1,400 participants who generated more than 1,000 vulnerability reports -- 138 were resolved and the hackers received tens of thousands of dollars of prize money in return.
Fanning said that the Army bug bounty is part of the broader effort to make it easier for private industry to do business with the Pentagon.
"We recognize that we can't continue to do business the way that we are and that we're not agile enough to keep up with a number of things in the tech world," said Fanning.