The Department of Defense has announced “Hack The Pentagon 3.0″—its third iteration of a bug bounty hunting program—to identify vulnerabilities that exist on the Pentagon network. The DOD first launched Hack the Pentagon in 2016 with vendor HackerOne to coordinate a bug bounty program on department websites. More than 1,400 hackers participated, identifying 138 vulnerabilities and earning over $75,000 in bounty rewards.
The second iteration of Hack the Pentagon occurred in 2018 with two more vendors, Synack and Bugcrowd.
The third iteration was announced through a Sources Sought contract opportunity (aka Request for Information or RFI) that seeks vendors to propose capability statements in response to its Performance Work Statement (PWS).
Vendors are asked to “provide a Crowdsourced Vulnerability Discovery and Disclosure exercise of the Government’s Washington Headquarters Services (WHS) Facilities Services Directorate (FSD) Facility Related Controls System (FRCS) network.”
The primary focus will remain on operational technologies and vulnerabilities that keep the Pentagon building and grounds running.
“The overall objective is to obtain support from a pool of innovative information security researchers via crowdsourcing for vulnerability discovery, coordination, and disclosure activities and to assess the current cybersecurity posture of the FRCS Network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,” according to the performance work statement.
Participating white hat or ethical hackers will only have access to unclassified IT/OT (operational technology) systems, per the document. Actual hacking activities will occur only over a 72-hour period, on a to-be-determined date and time.
Due to the sensitive nature of the Pentagon and DOD systems, participants will be limited to “US persons only, with eligibility criteria established by the DOD,” the statement says.
Bug bounties are increasingly a positive way for governments, corporations, and businesses to identify vulnerabilities on their network, and have responsible, ethical hackers financially rewarded for their efforts. The US government has increased its bug bounty challenges over recent years and has expanded efforts across multiple agencies such as its DOD branches, General Services Administration, and Department of Homeland Security.
