The US Department of Defence launched a new program last week, “Hack the Pentagon”, to reward hackers for pointing out security flaws in some of its public-facing websites. It’s a bug bounty, the same kind of program that most big tech firms use to encourage hackers to help instead of harm. The program budget is $US150,000 ($195,387), so rewards will be small, especially compared to private bounties.
But the meagre funding isn’t the biggest difference between the way companies like Facebook or Microsoft treat bug bounty participants and the way the Pentagon plans to treat them: The Pentagon is leaving itself a loophole so that some of the people allowed to participate in the program won’t be eligible for an actual monetary reward. More specifically: if you have a sketchy past (as defined by the Pentagon) you can participate, but you won’t get paid.
To participate in the “hack”, you have to meet a list of eligibility requirements; for instance, you can’t be on the US Department of the Treasury’s Specially Designated Nationals list, and you need to be able to work in the US. The eligibility requirements are straightforward — you can tell right away if you can participate or not.
Screenshot of Participation Eligibility: HackerOne
The payment criteria, however, are different. If you’re an ex-convict who also happens to be a hacker with an urge to help out the Department of Defence, we’ve got good news and bad news: You can participate, but you likely can’t get paid. Here’s what happens after you submit a reward-worthy bug:
In addition, successful participants who submit qualifying vulnerability reports will undergo a basic criminal background screening to ensure taxpayer dollars are spent wisely. Screening details will be communicated in advance to participants, and participants will have the ability to opt-out of any screening, but will forgo bounty compensation.
So you can spend time identifying a serious security threat to the US government, and you can turn it in, and it will be accepted — but if you have an imperfect past, you won’t be rewarded for your trouble.
The DoD doesn’t specify what would prevent someone from getting paid — whether a felony makes you automatically ineligible, or any criminal history, or specifically a history of cyber-crime, and so on. While the site states that these details will be “communicated in advance to participants”, they have not actually been released. The DoD declined to comment, but directed me towards the Office of Personnel Management’s FAQ page.
I don’t know why anyone who suspects they will fail the background check would bother submitting to a bug bounty they are deliberately excluded from benefiting from. Perhaps there are more extremely patriotic American ex-con hackers out there, just waiting for their chance to serve America free of charge, than I can imagine. (I can imagine zero.)
The DoD probably knows that some security experts have criminal histories, and wants to benefit from their knowledge anyway. It’s still bizarre to assume that these people will volunteer to participate despite getting stiffed on the reward. And much as I love a good honeypot conspiracy, the Pentagon wouldn’t dangle a grand total of $US150,000 ($195,387) as a way to entrap nefarious hackers. That’s like trying to catch flies with a molecule of honey.
“Hack the Pentagon” has a grand name, but it’s a small-scale pilot program. It’s almost a promising beginning to a larger initiative to attract outside talent to make US cybersecurity better. But like most of the government’s digital initiatives, it’s flawed and just kind of weird more than anything else.
Image by David B. Gleason