The US Department of Defense (DoD) has confirmed that it will soon launch part three of its “Hacking the Pentagon” bug bounty program. Announced in 2016.
According to the special page, Sam.Gov websitethe initiative relies on cybersecurity researchers to find vulnerabilities in government facility-related control system (FRCS) networks.
“The contractor will provide all the workforce required to assess the current cybersecurity posture of the FRCS network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture. , shall provide materials, equipment, hardware, software, and training.” Read the draft of the Hack the Pentagon 3.0 Program Performance Work Statement (PWS).
FRCS infrastructure includes systems used to monitor systems related to real estate facilities such as fire and safety systems, heating, ventilation, and air conditioning (HVAC), utilities, and physical security systems.
“DoD has recognized a new need to tap into a diverse pool of innovative information security researchers. […] Vulnerability discovery, coordination and disclosure activities will be conducted via crowdsourcing,” the draft explains.
The document also clarifies that the material bounty program “includes only unclassified information systems and the operational technology contained within them.” pentagon FRCS Network”.
“These are classified government assets. Therefore, contractors must tap into a private community of skilled and trusted researchers according to qualification standards established by the DoD.
Additionally, the draft calls for researchers to have diverse skill sets and be able to perform source code analysis, reverse engineering, and network and system exploitation.
“The bounty execution or “challenge phase” itself is expected to be no more than 72 hours. Access to assets and asset owners is provided to contractors upon contract award. “
The third installment of the Hack the Pentagon bug bounty program came almost four years after the second installment. Announced in April 2018.
