Update (July 8th)

Trial Arms! Any submissions beyond this point are not eligible for a bounty. However, they are still eligible for the awards listed below. The best vulnerability in each of the categories below will receive $3,000. And the best vulnerability overall will receive $5,000. Submissions reopen at 10:00 AM EST.

Let me give you some SIGINT; the following domains offer you the best chance of qualifying for the award:

• spaceforce.mil

• dia.mil

• nsa.gov

• northcom.mil

• southcom.mil

• Non-web assets

Tips for the Unified Commander award: Check out this page - https://www.defense.gov/About/combatant-commands/

Tips for the No Such Agency award: Know your acronyms

Nine Department of Defense elements—the Defense Intelligence Agency (DIA), the National Security Agency (NSA), the National Geospatial-Intelligence Agency (NGA), the National Reconnaissance Office (NRO), and intelligence elements of the five DoD services; the Army, Navy, Marine Corps, Air Force, and Space Force.

Purpose

This Fourth of July, celebrate independence day with the DoD and HackerOne by trying to Hack U.S. The DoD is experimenting with paid incentives in our VDP by offering a limited bounty pool starting on July the 4th. Bounties will go faster than the fireworks, and only high and critical findings will be eligible for an award. Themed bonuses are available for the best findings in different areas of the DoD, so explore the massive attack surface while enjoying the sun and BBQs. This challenge is open to the global public, so even if you don't typically celebrate the 4th where you are, we hope you will join us for a chance to earn some holiday cash and help Hack U.S.

From July 4th, 2022, to July 11th, 2022, High and Critical severity findings ONLY will be eligible for a bounty on any publicly accessible information systems, web property, or data owned, operated, or controlled by DoD. The types of submissions received during this time will help inform the DoD on the feasibility of providing financial incentives for valid security issues identified across the DoD information systems on a continuous basis.

HackerOne and the DoD are excited to work with this fantastic community of hackers worldwide to uncover potential serious issues in DoD assets.

This expanded program is intended to give security researchers terms and conditions for conducting vulnerability discovery activities directed at publicly accessible Department of Defense (DoD) information systems, including web properties, and submitting discovered vulnerabilities to DoD. If questions arise, please take no action until that action is discussed with the HackerOne team. Please email HackUSCampaign@hackerone.com with any questions.

Candidly, HackerOne views this format as experimental and welcomes any feedback from the hacker community regarding its execution. HackerOne needs your help to determine if potentially adding bounties to the DoD VDP will result in an increase of exciting and vital security issues reported. Please let us know your thoughts on this structure and what you would love to see for the next one.

DoD VDP Policy

Please review the guidelines and requirements in the Department of Defense Vulnerability Disclosure Program. By clicking “Submit Report,” you are indicating that you have read, understand, and agree to the terms and conditions of the program for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to publicly accessible DoD information systems, and that you consent to having the contents of the communication and follow-up communications stored on a U.S. Government information system.

Scope

Please refer to the scope described in the Department of Defense Vulnerability Disclosure Program.

How to Submit a Report

Please provide a detailed summary of the vulnerability including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

Once a report has been reviewed and triaged, HackerOne will clone the report into the DoD VDP program, where hackers can track any remediation efforts.

Eligible Submissions

All submissions will be rated for severity using a standard CVSSv3 rating.

| Severity | Base Score Range |

| -------- | ---------------- |

| None | 0 |

| Low | 0.1 - 3.9 |

| Medium | 4.0 - 6.9 |

| High | 7.0 - 8.9 |

| Critical | 9.0 - 10.0 |

Only submissions with a confirmed High or Critical severity rating will be eligible for a bounty. Any reports considered Low or Medium severity will not be eligible for a bounty and will be cloned to the DoD VDP program, where hackers can track remediation efforts.

Bounties and Awards

The bounty pool for this engagement is $110,000 total. $75,000 will be allocated for vulnerability submissions on a first-submitted, first-awarded basis until that pool of $75,000 is fully exhausted. $35,000 will be reserved for vulnerability awards listed below.

This is not your typical continuous bug bounty program. Submissions that arrive after funds have been exhausted will be handled as normal submissions by the Department of Defense Vulnerability Disclosure Program. Please only participate in this campaign if you understand and accept this constraint. We will post daily updates on the status of the available bounty pool.

Vulnerability Awards

| Name | Description | Amount |

| ----------------- | ------------------------------------------------------------------------------------ | ------ |

| You Hacked U.S. | Best finding in the Hack U.S. event | $5,000 |

| Army Strong | Best finding on an Army domain i.e. *.army.mil | $3,000 |

| Devil Dog | Best finding on a Marine domain i.e. *.marine.mil | $3,000 |

| Maverick | Best finding on a Navy domain i.e. *.navy.mil | $3,000 |

| On Patrol | Best finding on a Coast Guard domain i.e. *.uscg.mil | $3,000 |

| The Sky's No Limit | Best finding on an Air Force domain i.e. *.af.mil | $3,000 |

| Eyes Up | Best finding on a Space Force domain i.e. *.spaceforce.mil | $3,000 |

| No Such Agency | Best finding on an intelligence domain i.e. dia.mil, nsa.gov | $3,000 |

| Unified Commander | Best finding on a Unified Combatant Command domain i.e. .northcom.mil, .southcom.mil | $3,000 |

| Estate Sale | Best finding on a fourth estate domain i.e. .disa.mil, .darpa.mil | $3,000 |

| Web 3 Dot What? | Best finding on a non-Web asset | $3,000 |

Government/Military Participation

• Government employees are authorized to participate in this program when off-duty. Employees will submit an “Off-duty employment request.”

• Government employee participation while on duty appears unethical, emphasizing the issue of receipt of payout in addition to normal salary.

• Government employees have the knowledge and experience with the systems, may create an unfair advantage. DDS perspective indicates people’s knowledge of and experience with the system should not be viewed as a barrier or risk to participate.

• Researchers should not use any access advantage (i.e. CAC/PIV) or knowledge advantage (i.e. vulnerabilities known internally) from current employment with the Department of Defense or its affiliates.