Earlier this year, the Department of Defense launched a “Hack the Pentagon” initiative, allowing anyone to find flaws in the DoD’s public Webpages.
“I am always challenging our people to think outside the five-sided box that is the Pentagon,” Ash Carter, U.S. Secretary of Defense, wrote in a statement at the time. “Inviting responsible hackers to test our cyber-security certainly meets that test.”
That initiative helped the DoD squish 138 vulnerabilities over a 24-day period—a result strong enough to convince the U.S. Army to now launch its own “Hack the Army” bug bounty. HackerOne, the “vulnerability and bug bounty platform” that helped run the Pentagon run its bug hunt, is reportedly participating in the Army version.
HackerOne’s Website will host details about the Army’s contest in coming weeks. If the program follows in the footsteps of the Pentagon’s, hackers will have the opportunity to pick at public-facing Websites, but will never get close to any critical-mission facing systems.
While bug bounties at public institutions are still a relatively rare occurrence, private companies have embraced the practice as a way to crowdsource tech security. And at least on the surface, the logic seems sound: why pay a handful of in-house security pros to close off vulnerabilities when you can leverage thousands of smart people online to do the same thing in less time?
Yet bug hunts also have their vulnerabilities. For starters, outside bug-hunters are limited to checking a small number of Websites and features—experts still need to review the mission-critical systems at the heart of every company’s infrastructure. In addition, a variety of software tools on the market can already scan through code, offering a viable alternative to human crowdsourcing, which can sometimes prove inaccurate and messy.
But bug bounties can benefit companies in another way: publicity. By offering to pay money for minor vulnerabilities, firms position themselves as engaged with the tech community. Even a large, old organization with a huge budget, like the Army, can show that it’s tech-forward by hosting a bug hunt.