Pentagon waives penalties for hackers to test its cybersecurity
WASHINGTON — The Pentagon has approved all so-called “white hat” hackers to test the cybersecurity of its public websites without fear of prosecution, the Defense Department announced Monday.
Any hackers who promise to “do no harm” can attempt to hack into the Defense Department’s many public websites as long as they report any potential security vulnerabilities directly to Pentagon officials, in an expansion of a pilot program launched earlier this year known as “Hack the Pentagon,” defense officials announced. The new program, called the Vulnerability Disclosure Policy, marks the first time a federal agency has asked for public assistance in protecting its websites from threats. The program is backed by the Department of Justice.
Defense Secretary Ash Carter described the policy as “see something, say something.”
“We want to encourage computer security researchers to help us improve our defenses,” Carter said in a statement. “This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security.”
Carter launched the initial “Hack the Pentagon” bug bounty challenge in April. The monthlong initiative allowed about 1,400 hackers approved by the Pentagon to test five Defense Department websites for security vulnerabilities that could have allowed malicious attacks where personal information could have been stolen, or where hackers could have hijacked the website to force it to post unauthorized content. The hackers discovered 138 vulnerabilities, and the Defense Department paid them a total of $75,000 for their efforts.
The new initiative will not pay any of the hackers. Pentagon officials hope they will challenge Defense Department websites’ security as a public service.
Monday also marked the opening of registration for “white hat” hackers to enroll in the Defense Department’s second bug bounty program, “Hack the Army.” The initiative asks vetted hackers to find vulnerabilities in some of the Army’s non-public web applications in exchange for reward money.
Read more at: http://www.stripes.com/1.440517