US DoD puts up $150,000 for first government bug bounty

The US Department of Defense has open the doors for hackers to register with its pilot bug bounty, dubbed "Hack the Pentagon".

The DoD announced the pilot at the beginning of March but didn’t reveal specifics of the program, including whether hackers could expect payment for finding and reporting bugs in DoD systems.

The department said today it will partner with third-party bounty platform, HackerOne, which recently added Uber to its list of bounties.

The company’s vulnerability coordination system is free for customers, but it charges a 20 percent fee to use its payment processing systems to send awards to participants.

DoD is not the first non-tech organisation to run a bounty, but it is the first US federal government organisation to test the model and is also probably the world’s largest end-user IT organisation.

DoD hasn’t spelled out how much it will pay for different types of bugs that researchers may discover, but it has allocated $150,000 in funding for the program, which isn’t a small sum given the pilot runs for less than one month.

"This initiative will put the department's cybersecurity to the test in an innovative but responsible way," said Defense secretary Ash Carter. "I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot."

The program is only open to US citizens, permanent residents, and any non-US citizens with a permit to work in the country. Also, hackers who want to participate will need to apply. US Defense employees are not allowed to participate however US government contractors are and will be eligible for awards if they find bugs.

The pilot will start on Monday, April 18 and concludes on Thursday, May 12.