The U.S. Army has launched Hack the Army 3.0, a bug bounty program that is intended to help safeguard the Department of Defense (DoD) and Army networks, systems and data.
The initiative is a collaboration between U.S. Army Cyber Command (ARCYBER), Defense Digital Service (DDS), and the Army Network Enterprise Technology Command.
For the third iteration of Hack the Army, the active hacking phase will begin Dec. 14 and run through Jan. 28, 2021, or until funds are exhausted. In a press release, the Army said ARCYBER officials are hoping to increase participation by military members, and are looking at ways to conduct more frequent bug bounty programs in the future. While the Army hasn’t released the total budget for the program, it did confirm that civilian hackers who discover and successfully report vulnerabilities are eligible to earn cash rewards.
The first Hack the Army was held in late 2016 and brought in 371 “white hat” hackers – including 25 government employees, of which 17 were uniformed military personnel. That initial hackathon yielded 118 valid vulnerabilities, and civilian hackers were awarded about $100,000 for their discoveries. The second Hack the Army was held late last year and 52 hackers from six countries found 146 valid vulnerabilities on publicly accessible Army websites in just over a month. Civilian hackers earned a total of $275,000 in that round.
The Army said that Hack the Army 3.0 will offer a dozen explicit domain targets of specific Army interest, as well as sign-on/authentication services and Army-owned VPNs. During the third iteration the entire *.army.mil domain can be targeted by participants as well, but rewards will be paid only for discovering certain categories of vulnerabilities.
The military has increasingly turned to white hat hackers to help identify security vulnerabilities, with Hack the Army 2.0 being the ninth bug bounty initiative within the DoD. The DoD has also run Hack the Pentagon, Hack the Army, Hack the Air Force, Hack the Air Force 2.0, Hack the Defense Travel System, Hack the Air Force 3.0, and Hack the Marine Corps.
In terms of how the hackathon programs work, the Army explained that DDS works with DoD component agencies whose digital assets are being examined and a trusted private sector partner to recruit researchers to conduct crowdsourced penetration tests. Unlike malicious hackings, registered participants are given legal consent to hack a variety of DoD assets to uncover and help fix vulnerabilities.
The Army noted that all DoD bounty initiatives require researchers to undergo background checks. For bounties testing internal systems, hackers are required to have a background check and citizenship verification before researchers can gain privileged access to DoD systems and information. Most private bounties mandate the use of a virtual private network (VPN) to monitor and log researcher activity for system owner transparency and deconfliction.