The US Department of Defense (DoD) has confirmed it will soon launch the third part of its ‘Hack the Pentagon’ bug bounty program, first unveiled in 2016.
According to a dedicated page on the Sam.Gov website, the initiative will rely on cybersecurity researchers to find vulnerabilities in the government’s Facility Related Controls System (FRCS) network.
“The Contractor shall provide all labor, material, equipment, hardware, software and training required to assess the current cybersecurity posture of the FRCS Network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,” reads a draft of the performance work statement (PWS) of the Hack the Pentagon 3.0 program.
The FRCS infrastructure includes systems used to monitor systems related to real property facilities like fire and safety systems, heating, ventilation, and air conditioning (HVAC), utilities, and physical security systems, among others.
“DoD has identified an emerging need to leverage a diverse pool of innovative information security researchers [...] via crowdsourcing, for vulnerability discovery, coordination and disclosure activities,” the draft explains.
The document also clarifies that the critical bounty program will only involve "unclassified Information Systems and operational technology contained within the Pentagon FRCS Network."
“These are sensitive Government assets; therefore, the Contractor will be required to leverage a private community of skilled and trusted researchers, which may be limited to US persons only, with eligibility criteria established by the DoD,” the draft explains.
Additionally, the draft is calling for researchers to be diverse in skillset and able to conduct source code analysis, reverse engineering and network and system exploitation.
“The bounty execution or ‘challenge phase’ itself is expected to last no more than 72 hours in person. Access to assets and asset owners will be provided to the Contractor upon Contract award.”
The third installment of the Hack the Pentagon bug bounty program comes almost four years after the second one, which was unveiled in April 2018.