'Hack the Pentagon' Hackers Will Literally Hack the PentagonEthical Hacking Session Will Focus on DOD Facility Related Controls System
The next iteration of the "Hack the Pentagon" bug bounty program is getting literal, with a new list of targets for white hat hackers pegged to the network controlling the U.S. Department of Defense's headquarters building.
The military has run periodic bug bounty programs since initiating "Hack the Pentagon" in 2016. Participants have revealed holes in the F-15 tactical air fighter and advanced secure hardware architectures. More than 3,000 hackers have participated, collectively netting more than $650,000 in bounty payouts.
A contract solicitation for the next session of ethical hacking lists the Pentagon's Facility Related Controls System network as the target. The network is wired into the command and communications center used by the president and the secretary of defense, a nearby office building housing a number of Pentagon agencies and the on-campus utility plant. Researchers will also be to probe for weaknesses in select Pentagon corridors, the basement and the mezzanine.
As the list suggests, both operational technology and operational technology are connected to the FCRS network.
The bounty program will last no more than 72 hours in person, and hackers will be physically located on the Pentagon campus.
Bug bounties moved into the mainstream over the past decade, particularly as major technology companies, including Google, Facebook and Microsoft, have set up programs to accept unsolicited reports from outside researchers.
In September 2020, the Cybersecurity and Infrastructure Security Agency ordered most executive branch agencies and departments to create their own vulnerability disclosure programs (see: US Agencies Must Create Vulnerability Disclosure Policies).
In April 2020, the DOD Cyber Crime Center and the Defense Counterintelligence and Security Agency launched a 12-month Defense Industrial Base Vulnerability Disclosure Program for third-party firms and companies that are part of the Defense Industrial Base Sector and work with the Pentagon to supply technology and research.
Branches of the U.S. military have also operated their own vulnerability disclosure programs. A 2018 program run by the Air Force uncovered 120 vulnerabilities and paid out $130,000 to the hackers who revealed them.
Earlier in 2021, the Army launched its third "Hack the Army" program in conjunction with the Defense Digital Service and HackerOne.