DoD hacking effort extended to Army

Expanded cyber effort also included new policy guidance for security researchers probing DoD nets for bugs.

Doubling down on what it characterizes as the early success of its bug bounty initiative, DoD officials announced another wave of cyber defense efforts this week that would pay legal hackers to detect network vulnerabilities on Pentagon unclassified websites.

The earlier "Hack the Pentagon" initiative uncovered 138 bugs, or network vulnerabilities. That program was extended last month with the launch of crowd-sourcing effort. This week, another follow-up effort called "Hack the Army" was announced along with a new DoD policy that allows security researchers to legally find and disclose network gaps on "public-facing" DoD websites.

Pentagon officials noted that the new "Vulnerability Disclosure Policy" approved by the U.S Justice Department provides a legal framework for legitimate security researchers to help strengthen cyber defense on DoD networks by probing for vulnerabilities.

 "We want to encourage computer security researchers to help us improve our defenses," said Defense Secretary Ashton Carter.  "This policy gives them a legal pathway to bolster the department’s cyber security and ultimately the nation’s security."

 Meanwhile, "Hack the Army" bug bounty challenge modeled after the earlier DoD-wide effort will focus on "more operationally relevant websites" such as the service's recruiting tools. "We need as many eyes and perspectives on our problem sets as possible and that’s especially true when it comes to securing the Army’s pipeline to future soldiers," Army Secretary Eric Fanning noted.

The service initiative and new disclosure policy will be supplemented by a DoD initiative announced last month to extend the "Hack the Pentagon" program through a partnership with two cyber specialists. HackerOne and Synack received DoD contracts to launch their own "bug bounty" challenges that apply crowd-sourcing techniques to digital defenses.

DoD said this week it expects about 500 hackers to participate in bug bounty challenge. Participants would be eligible to receive bounty rewards. The three-week pilot program that ended in mid-May reportedly cost $150,000.

The Army hacking challenge begins at the end of November and extends through Dec. 21.

 The new DoD Vulnerability Disclosure Policy, meanwhile, seeks to create a "positive feedback loop between researchers and DoD," program officials said. "Information submitted to DoD under this policy will be used for defensive purposes—to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our vendors."