DoD launches ‘Hack US’ bug bounty program

The US Department of Defense (DoD) has launched its first bug bounty program called “Hack US”.

The DoD is experimenting with paid incentives in HackerOne's vulnerability disclosure program (VDP), according to the campaign page, by offering a limited bounty pool that started on 4 July. The challenge is open to the global public.

The DoD Cyber Crime Centre (DC3) has been running a vulnerability disclosure program for many years, according to Casey Ellis, founder and CTO at Bugcrowd.

"To see them 'upgrade' to a paid bug bounty program makes a lot of sense," Ellis added.

According to security experts, bug bounty programs have become increasingly popular among the public and private sectors alike, offering several benefits.

"It takes an army of adversaries to outsmart an army of allies, and many organisations are tapping into the community of millions of good-faith hackers around the world who are skilled, ready, and willing to help," Ellis said.

High and critical severity findings are the only submissions eligible for a bounty on any publicly accessible information systems, web property, or data owned, operated, or controlled by DoD.

The types of submissions received during this time will help inform the DoD on the feasibility of providing financial incentives for valid security issues identified across the DoD information systems on a continuous basis.

In total, the bounty pool is US$110,000, vulnerability submissions are allocated about US$75,000 on a first-submitted, first-awarded basis until that pool of $75,000 is exhausted entirely. Another $35,000 is reserved for vulnerability awards.