My guess is that if you stumbled across a website that called itself "Hack the Pentagon" and was decorated with a grisly-looking skull, you would probably think that you might be somewhere less than legitimate.
After all, normally if you hacked The Pentagon you would find yourself in heaps of trouble.
But that's not the case if you're an "ethical hacker" who has been vetted by the US Department of Defense, and a signed-up participant to the "Hack the Pentagon" scheme that the Directorate for Digital Services (DDS) has been running since 2016.
The initiative, which initially offered rewards of up to US $150,000 for security researchers who uncovered security holes on Pentagon websites, eventually resulted in the DDS running over 40 bug bounty programs which have flagged more than 2,100 vulnerabilities.
As for the initial Hack the Pentagon initiative, that expanded in 2021 from a carefully chosen list of specific websites to include all publicly-accessible Department of Defense systems - including everything from databases to IoT devices to industrial control systems.
This week, the DDS has launched an official "Hack the Pentagon" website, with the intent of promoting the success of bug bounty programs across the US military.
And yes, it has a big skull on its homepage.
It's good to see bureaucratic institutions like the US military adopt the best practices now widely adopted in the commercial world. In recent years more and more organisations have seen a real benefit in running bug bounty programs that work with security researchers to find and resolve vulnerabilities in a timely fashion.
"Through Hack the Pentagon, we're building a global talent pipeline for cybersecurity experts to contribute to our national defense outside of traditional government career paths," said Jinyoung Englund, Acting Director of the DDS.
Any security researchers who find a vulnerability are invited to visit the webpage of the Department of Defense's Vulnerability Disclosure Program.
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.View all posts
May 16, 2023
March 10, 2023
June 06, 2023