Government , Industry Specific , Next-Generation Technologies & Secure Development

'Hack the Pentagon' Hackers Will Literally Hack the Pentagon

Ethical Hacking Session Will Focus on DOD Facility Related Controls System
'Hack the Pentagon' Hackers Will Literally Hack the Pentagon
The Pentagon, circa 1947 (Image: Theodor Horydczak/Library of Congress)

The next iteration of the "Hack the Pentagon" bug bounty program is getting literal, with a new list of targets for white hat hackers pegged to the network controlling the U.S. Department of Defense's headquarters building.

See Also: Strengthen Cybersecurity with Zero Trust Principles

The military has run periodic bug bounty programs since initiating "Hack the Pentagon" in 2016. Participants have revealed holes in the F-15 tactical air fighter and advanced secure hardware architectures. More than 3,000 hackers have participated, collectively netting more than $650,000 in bounty payouts.

A contract solicitation for the next session of ethical hacking lists the Pentagon's Facility Related Controls System network as the target. The network is wired into the command and communications center used by the president and the secretary of defense, a nearby office building housing a number of Pentagon agencies and the on-campus utility plant. Researchers will also be to probe for weaknesses in select Pentagon corridors, the basement and the mezzanine.

As the list suggests, both operational technology and operational technology are connected to the FCRS network.

The bounty program will last no more than 72 hours in person, and hackers will be physically located on the Pentagon campus.

Bug bounties moved into the mainstream over the past decade, particularly as major technology companies, including Google, Facebook and Microsoft, have set up programs to accept unsolicited reports from outside researchers.

In September 2020, the Cybersecurity and Infrastructure Security Agency ordered most executive branch agencies and departments to create their own vulnerability disclosure programs (see: US Agencies Must Create Vulnerability Disclosure Policies).

In April 2020, the DOD Cyber Crime Center and the Defense Counterintelligence and Security Agency launched a 12-month Defense Industrial Base Vulnerability Disclosure Program for third-party firms and companies that are part of the Defense Industrial Base Sector and work with the Pentagon to supply technology and research.

Branches of the U.S. military have also operated their own vulnerability disclosure programs. A 2018 program run by the Air Force uncovered 120 vulnerabilities and paid out $130,000 to the hackers who revealed them.

Earlier in 2021, the Army launched its third "Hack the Army" program in conjunction with the Defense Digital Service and HackerOne.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.