The U.S. Department of Defense (DoD) has launched its first-ever “Hack U.S.” bug bounty program.


According to the campaign page, the DoD is experimenting with paid incentives in HackerOne’s vulnerability disclosure program (VDP) by offering a limited bounty pool that started on July 4th. The challenge is open to the global public.


From July 4th, 2022 to July 11th, 2022, High and Critical severity findings only will be eligible for a bounty on any publicly accessible information systems, web property, or data owned, operated, or controlled by DoD. The types of submissions received during this time will help inform the DoD on the feasibility of providing financial incentives for valid security issues identified across the DoD information systems on a continuous basis.


The bounty pool for the engagement is $110,000 total. $75,000 will be allocated for vulnerability submissions on a first-submitted, first-awarded basis until that pool of $75,000 is fully exhausted. $35,000 will be reserved for vulnerability awards.


While the DoD Cyber Crime Center (DC3) has been running a vulnerability disclosure program for many years, to see them “upgrade” this to a paid bug bounty program makes a lot of sense, says Casey Ellis, Founder and CTO at Bugcrowd.


Bug bounty programs have become increasingly popular among the public and private sectors alike, and they offer several different benefits, according to security experts. “It takes an army of adversaries to outsmart an army of allies, and many organizations are tapping into the community of millions of good-faith hackers around the world who are skilled, ready, and willing to help,” explains Ellis. 


Bug bounty programs are quite successful for both organizations and security researchers. “Effective bug bounty programs limit the impact of serious security vulnerabilities that could have easily left an organization’s customer base at risk. Payouts for bug reports can sometimes exceed six-figure sums, which may sound like a lot. However, the cost for an organization to remediate and recover from a zero-day vulnerability could total millions of dollars in lost revenue,” says Ray Kelly, Fellow at Synopsys Software Integrity Group.


Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, says, “Technology companies that don’t offer bug bounty programs are already behind the curve. Given that almost all companies are technology companies these days, most public-facing companies should have vulnerability disclosure or bug bounty programs.”