The delayed third edition of the US Department of Defense’s ‘Hack the Army’ bug bounty program is due to take place next month.
Hack the Army 3.0 – a collaboration between the US Army Cyber Command, Defense Digital Service, and vulnerability disclosure platform HackerOne – is scheduled to run from January 6 until February 17, 2021, or until funds are exhausted.
The invite-only exercise will see both military and civilian participants invited to look for security flaws in a dozen explicit domain targets of specific military interest, as well as authentication services and army-owned virtual private networks (VPNs).
The entire army.mil domain is within scope, but “rewards will be paid only for discovering certain categories of vulnerabilities”.
‘More targets, bounties, and hackers’
Hack the Army 3.0 follows two previous editions of the exercise in 2017 and 2019. The exercise was initially due to begin in December.
Since its inception, Hack the Army programs have helped to resolve 1,000 valid vulnerabilities.
The latest edition of the vulnerability disclosure initiative offers “more targets, bounties, and hackers”, HackerOne told The Daily Swig.
“In its first year, we saw 371 registered participants, with 118 valid reports received and over $100,000 earned in bounties,” a spokesperson said.
“Whereas, in its second year we saw 52 trusted hackers, reporting 146 valid vulnerabilities and a payout of over $275,000.”
Public sector collaboration
Those interested in getting more information and applying to take part in Hack the Army 3.0 should visit the program’s website at HackerOne.
“Each year, Hack the Army grows in attendance and vulnerability reports,” the HackerOne spokesperson added.
“Cybersecurity needs to constantly evolve, and by leveraging the hacking community the Army is taking new and innovative steps to remain secure.”
Hack the Army 3.0 is part of HackerOne’s wider collaboration with the US Department of Defense. Other challenges have included Hack the Pentagon, Hack the Air Force, and Hack the Marine Corps.
The US DoD has now executed 14 public bounties on external-facing websites and applications, and 10 private bounties on a range of sensitive, internal DoD systems.