Pentagon invites hackers to take their best shot

As commercial companies conduct more and more business online, they increasingly turn to professional “white-hat” hackers to probe their networks for potential vulnerabilities.

Such “bug bounty” programs can be lucrative, with some hackers making hundreds of thousands of dollars, depending on the severity of the bug, according to PC Mag.

But today, the U.S. Defense Department (DoD) is launching the first bug bounty program in the history of the federal government. Running through May 12, the “Hack the Pentagon” program will use a crowdsourced team of registered hackers to target several DoD public websites. Critical computer systems associated with ongoing operations would not be part of the program.

“This initiative will put the department’s cybersecurity to the test in an innovative but responsible way,” Defense Secretary Ash Carter said in a statement. “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”

The Pentagon’s new Defense Digital Service (DDS) is managing the hack-a-thon. Carter launched DDS in November as part of a broader effort to reach out to the private sector for best practices and innovative technologies. It temporarily collects talent from the technology community to work for DoD on specific projects.

“We exist to bring in new ideas and to challenge the way things have been done because some of our approaches to technology need rethinking,” DDS director Christopher Lynch wrote in an article in the web magazine Tech Crunch. Lynch said he and his team conceived Hack the Pentagon as a new way to let Americans participate in their collective cyber security.

“See, the bad guys aren’t waiting around for us to announce a bug bounty or to win an award,” Lynch wrote. “The bad guys are constantly hacking away at our systems looking for weaknesses.”

In 2012 alone, 25 percent of the 4 billion visits to DoD public websites likely were attempts to undermine security, according to DDS.

Any U.S. taxpayer can participate in the program, which has a budget of $150,000 to dole out to hackers who “submit a qualifying, validated vulnerability,” according to HackerOne, a Silicon Valley-based firm hired by DDS that specializes in bug bounty services. Participants must pass a background check before they can be paid.

The Hack the Pentagon program may be the first “official” bug bounty program in the federal government’s history, but it won’t be the first time the federal government has sought the help of professional hackers for a fee.

The FBI successfully cracked San Bernardino terrorist Syed Farook’s iPhone 5C using the help of professional hackers who discovered a security flaw that allowed the FBI to bypass the phone’s 4-digit personal identification number without triggering the security feature that would have wiped the phone’s data, according to the Washington Post.

The government paid the professional hackers a one-time flat fee for their solution, according to The Post.