Thursday, March 16, 2017

US Army Prepares Bug Bounty Program, Asks Hackers to Find Cybersecurity Exploits

Eric Fanning, Secretary of the Army, announced plans to set up a bug bounty. The US Army, according to the press release, partnered up with HackerOne to have eligible hackers find exploits in the Army’s cybersecurity systems.

HackerOne is a “vulnerability coordination and bug bounty platform” that previously partnered with the Department of Defense for the widely successful “Hack the Pentagon.” According to HackerOne, “Hack the Pentagon” participants revealed 138 vulnerabilities in 24 days.

The US Army’s program will be similar in structure.

Following the initial hacking run, the Department of Defense will begin to expand these programs to other essential departments. The US Army is the first of these “bold” challenges, a HackerOne spokesperson published in a press release. So far, HackerOne has worked and had success with the following companies: Uber, Twitter, New Relic, General Motors, Github, CloudFlare, Kaspersky Labs, Panasonic Avionics, Snapchat, Zenefits—and the Department of Defense.

The Secretary of Defense, Ash Carter, has been quintessential in terms of promoting this level of interaction with the private sector.

Carter spoke about the usefulness of the “Hack the Pentagon” program:

By allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend more time fixing them than finding them. The (program) showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly.

The push for this type of initiative has not been from Carter alone. After the successfulness of the DoD’s first run, the idea took off.

Greg Touhill, U.S. Chief Information Security Office stated, “Frankly, if I had it my way, we would do a bug bounty across .gov and the program office in charge of the source code would reimburse the bug bounty pool once a bug is discovered.”

Fanning said that these hackers would, in essence, provide an external view of the Army’s cybersecurity systems. The Army’s own cybersecurity staff know what the systems look like from the inside but skilled hackers could provide insight from an attacker’s perspective.

The full details have not been released yet and the US Army has not made a full public announcement through a platform of their own. However, the HackerOne press release mentioned that only “eligible hackers will be able to try to exploit the Army’s systems.” We can expect this event to very closely mirror the previous Pentagon one. Participants had to be vetted and pass a mandatory background check before taking part in the program.

In the partnership announcement, HackerOne said that the full details would be available soon. If one would like to “Hack the Army,” they recommended checking the HackerOne Twitter account: @hacker0x01.