Pentagon launches first bug bounty program

The US Department of Defense has opened registrations in what it claims will be the federal government’s first ever crowdsourced security vulnerability program.

The government has teamed up with Silicon Valley bug bounty specialist HackerOne to run a four-week pilot it has coined “Hack-the-Pentagon”.

Defense has put up US$150,000 (A$195,404) for the scheme, which will challenge researchers to find holes in several nominated public-facing websites from 18 April to 12 May.

Defense secretary Ashton Carter invited hackers to “take their best shot” at his web properties.

But the program will come with a number of caveats on who can and can’t secure vulnerability rewards.

“Eligible participants” must be US nationals and can’t be identified on government watch lists.

Participants who successfully submit a vulnerability will also have to agree to a criminal background check before they can receive their monetary prize “to ensure taxpayer dollars are spent wisely”.

No mission critical or core US defence systems will be involved in the program.

The scheme is being run out of the Pentagon’s new Defense Digital Service, established by Carter in November last year.

HackerOne expects to have doled out the bug bounty payments by 10 June.

The launch comes as the DoD continues to investigate what allowed hackers to break into the Office of Personnel Management and access millions of files on government and defence workers, including their security clearances, last year.