Skip to main content

Department of Defense officially launches ‘Hack the Pentagon’ program

perdix drone swarm the pentagon united states department of defense
David B. Gleason/Flickr
The Pentagon wants hackers to put its websites’ cyber defenses to the test with its bug bounty “Hack the Pentagon” program. And Hack The Pentagon is now officially up and running, with a $150,000 bounty budget. Don’t just start hacking, though: in order for that to not be a felony, you need to sign up with HackerOne.

Vetted hackers will be invited to test the security of the Department of Defense website. The program, set up by the Pentagon’s Defense Digital Service (DDS), is focused on the public-facing sites and, at least for now, won’t include the testing of more private systems and networks that may contain sensitive data or details on weapons.

Bug bounty programs are pretty common. They’re used by companies like Google and Facebook as well as startups to encourage white-hat hackers to privately disclose vulnerabilities they find in their sites and services in return for a reward, usually cash.

Hack the Pentagon, which launches in April, is the first such program designed by the federal government and is modeled on these traditional bug bounty schemes. The details of the program are still being finalized and the prizes “could involve monetary awards” reports Reuters, but this has yet to be confirmed.

The Pentagon previously conducted such tests internally but the Department of Defense says it is expecting thousands of applicants. White-hat hackers who are interested must pass a background check before they can start testing the sites.

“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” said Defense Secretary Ashton Carter. Chris Lynch, head of DDS, added that “Bringing in the best talent, technology, and processes from the private sector … helps us deliver comprehensive, more secure solutions to the DOD.”

The Pentagon and several government departments are probably having a serious rethink of their cyber defense strategy following a pretty rocky couple of years that saw the Office of Personnel Management hacked, and most recently, the IRS breached by a cyberattack.

Interested parties can sign up with Hacker One, a security firm that specializes in hiring hackers to reveal vulnerabilities. Ars Technica is reporting a $150,000 bounty budget for the project, so finding a flaw could prove valuable.

Anyone legally permitted to work in the US can apply, pending a background check. The full details:

  • You must have successfully registered as a participant through this security page.
  • You must have a U.S. taxpayer identification number and a social security number or an employee identification number and the ability to complete required verification forms.
  • You must be eligible to work within the U.S.; meaning you are a U.S. citizen, a noncitizen national of the U.S., a lawful permanent resident, or an alien authorized to work within the U.S.
  • You must not reside in a country currently under U.S. trade sanctions.
  • You must not be on the U.S. Department of the Treasury’s Specially Designated Nationals list.

One more exception: Current members of the U.S. Military are not permitted to participate, with one exception: United States Digital Service personnel with express approval from their supervisors.

If all this applies to you, and you’ve got some skills, sign up and see what you can do!

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more