14 DAY TRIAL // In a press conference at the Pentagon in Washington DC, on February 29, Defense Secretary Ash Carter and Joint Chiefs Chairman Gen. Joseph Dunford announced the first official government-sanctioned bug bounty program called "Hack the Pentagon."
The program is set to start in the upcoming month and will only allow US citizens to participate, after going through a thorough background check.
US officials said that, during the program's first iteration, only a select few public-facing services would be subjected to "hacking" attempts. Currently, there are no plans to open more sensitive systems to the program, or at least not immediately.
Former Microsoft executive is in charge
The program is an initiative of a new division in the US Department of Defense (DOD) called the Defense Digital Service (DDS) and led by former Microsoft executive Chris Lynch.
Mr. Lynch said that, using his contacts in the tech industry, he had already invited experienced coders and security researchers from companies like Google and Shopify to participate, affectionately calling their upcoming work a "tour of duty."
The bug bounty's program rules are still under work, but DOD officials have confirmed that researchers that participate and succeed in finding security flaws will receive monetary cash rewards.
Bug bounty programs are ubiquitous
During the past years, bug bounty programs have become the norm for many tech companies. Bug bounties allow companies to fix security flaws by having independent security researchers looking and probing their services before hackers have a chance to.
Over the last years, almost every major tech company has set up a bug bounty program, either on their own or through companies like HackerOne or Bugcrowd.
Some of the latest companies to set up a bug bounty program include the likes of cyber-security firm Malwarebytes and the Tor Project.
In a statement made in the past month, Facebook revealed that it paid bug bounty rewards of over $936,000 (€833,500) last year and more than $4.3 million (€3.83 million) since the program launched in 2011. Similarly, GitHub announced it paid $95,300 (€85,400) to 58 security researchers for 102 security vulnerabilities discovered in the past two years.
At the start of the year, Bugcrowd even published a guide for companies that wanted to set up a bug bounty of their own. The guide included basic policies and even a recommended price chart according to which top-level firms should pay at least $15,000 for a critical security bug.
DOD backing doesn't mean the program will be a success
"This is a great step in the right direction to addressing the critical need for cyber security skills in the US," Jonathan Cran, VP of Operations at Bugcrowd, told Softpedia. "We suspect that it's the first of many announcements from the Federal Government."
"This program will significantly further two of the first strategic goals announced by DoD last year: (1) Build and maintain ready forces and capabilities to conduct cyberspace operations, and (2) Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions," Mr. Cran also noted.
But the DOD will also face some problems, as Mr. Cran explains: "In general, researcher talent is more expensive in the US, so limiting the program to US-based, background-checked researchers may present challenges or simply require more incentives to participate. 33% of Bugcrowd's researchers are based in the US, and less than 10% of those voluntarily submit to background checks."
The same opinion is also shared by the security researchers themselves, represented by Pablo de la Riva Ferrezuelo, Founder and CTO of buguroo, a security company that provides ethical hacking and security auditing services. "I believe that one of the biggest values of bug bounty programs is the diversity of participant profiles and knowledge. If there are established limits for a participant’s nationality and citizenship, you will lose part of the exotic nature of the exercises and limit the results," Mr. Ferrezuelo explained.
"The announcement leaves a lot of questions about the scope and breadth of the program, and the research community looks forward to more details," Mr. Cran added, leveraging on his experience in managing Bugcrowd, a crowdsourced bug bounty program that serves clients such as Tesla Motors, Pinterest, Dropbox, Western Union, and many other more.
During the same press conference in which officials announced the upcoming "Hack the Pentagon" program, Defense Secretary Ash Carter and Joint Chiefs Chairman Gen. Joseph Dunford also revealed that the US had started an intense series of cyber-attacks against ISIS in Mosul, Iraq.
UPDATE: The article was updated with the opinion of somebody representing the community of security researchers, Mr. Pablo de la Riva Ferrezuelo from buguroo.