The Department of Defense’s bug bounty program, known as Hack the Pentagon, is launching its third iteration. This time, it will focus on the facility control system network.
The third iteration of the program, which is known as Hack the Pentagon 3.0, will look into the facility control system’s network. The program was first launched in 2016 by HackerOne, where the Department of Defense asked ethical hackers to identify and report security issues in the public web pages of the Pentagon.
The Department of Defense launched a year-long bug bounty program called Hack the Pentagon in 2018. It sought to identify and report vulnerabilities in various high-value assets and hardware. On Friday, a draft solicitation for the third iteration of the program revealed that the Department of Defense would rely on ethical hackers to find and report vulnerabilities in the facility control system.
The control systems of the FRCS are used by the Department of Defense to monitor and control various facilities’ equipment and systems. These include fire and safety systems, HVAC equipment, and security systems.
According to the draft, the objective of the program is to collect information from a pool of innovative researchers to find and report vulnerabilities in a facility control system. It also aims to assess the system’s cybersecurity posture.
The Department of Defense is looking to partner with a company that has experience in commercial crowdsourcing to select a group of trusted and skilled researchers to participate in the project. Previous bug bounties programs, such as those launched by the U.S. Air Force, the U.S. Army, and the Marine Corps, were also partnered with other organizations, such as Bugcrowd and HackerOne, to vet the researchers.
The draft stated that the Department of Defense would establish the requirements for the researchers to participate in the program. They should be able to perform various tasks, such as source code analysis and reverse engineering. The bounty phase of the program, which the draft states will last for up to 72 hours, will be conducted in person.
The success of previous bug bounty programs can be attributed to the well-managed nature of their operations. The Department of Defense’s experience also shows that DoD can significantly benefit from the information the researchers provide, as it can help improve the system’s security. One of the most important factors people should consider when implementing a similar program is having the necessary staff and processes in place.
Hack the Pentagon 3.0 is still in its early stages of research and development. To learn more about the program and its requirements, read the details of the draft invitation on the department’s website. The success of bug bounty programs has shown that they can help improve the security of the systems they’re used to monitor.
While system developers do their best to test every possible flaw, history has proven that many eventually end up in production systems. Through a controlled setting, vulnerability discovery can be cost-effective and beneficial for cyber defenders.