The Defense Department’s revolutionary bug bounty program, just a week into its monthlong run, is already shaping up to be one of the largest and most transparent that partnering company HackerOne has ever worked on, according to one of the startup’s executives.
There has already been a “healthy amount of activity” in the first week of the “Hack the Pentagon” program, Alex Rice, HackerOne CTO and co-founder, told FedScoop. More than 500 vetted hackers are trying to compromise security vulnerabilities in DOD’s infrastructure.
Although he wouldn’t say whether any would-be hackers had found a way in yet, Rice said they always do in the end.
“We’re pretty optimistic that we’ll be seeing good results by the end,” Rice said, pointing to the program’s scope and the transparency with which DOD is approaching it as key indicators of likely success.
It’s a rare example of “the federal government leading the way in technological innovation ahead of many of their industry peers,” he said.
Some of the larger private companies that participate in bug bounty programs, and do so under the radar without announcing the invite-only competitions publicly, get only a hundred or so participants over a monthslong timeframe. The Pentagon, however, opened registration to the American public — participants have to be citizens and undergo a basic background check — and attracted five times that number to blitz its security systems for a little less than a month, enticing them with cash prizes from its $150,000 pot of funding to run the competition.
Rice said he doesn’t typically see this level of day-one activity.
“By bringing this large pool of people together, you’ll have some people that are only focused on a specific category of vulnerability, and that’s their bread and butter, what they’re known for and what they’re really good at,” he said. “Security vulnerabilities take many, many different forms, and not every individual approaches it in the same way. And it is that diversity of creativity that helps make these programs far more effective than a traditional security assessment, which has a limited range of experience applied to the problem.”
The first bug bounty program in the federal government, “Hack the Pentagon” — a name that was hard to get DOD approval for, according to Chris Lynch, director of the Defense Digital Service team that’s leading the initiative — was a huge success in terms of interest from independent white-hat hackers wanting to participate.
“Just over 24 hours after announcement we had over 500 registrations with over 10 qualified hackers signing up per hour,” Lynch wrote in a contributed article for TechCrunch.com.
[Read more: Pentagon picks HackerOne as bug bounty partner.]
“That shows the desire to help and be a part of making the US Defense Department or the Pentagon better, stronger, and more secure,” he said. “We’ve had an outpouring of support from people all over the world looking to help because it’s something that many of us believe in dearly. To say the DDS team is proud is an understatement – this is a big gain for how the United States Government can improve security and we look forward to seeing other agencies use this model.”
Rice couldn’t get into any details of the ongoing engagement — like has anyone successfully breached the Pentagon yet? — but he did say past experience should be a guide.
“The idealistic state is that there are no vulnerabilities and that you could run one of these programs and no one would find one,” he said. “In reality we never see that happen.”
Of the 500 or so programs the company has run to date, more than three-quarters found a vulnerability in the first 24 hours, and 99 percent found one in the first three days, said Rice.
“When you invite that many creative, talented, skilled individuals to test your security, there’s almost a certainty that somebody will find something that your team wasn’t aware of, whether it’s a new attack surface or a new technique or a new way of approaching a problem that wasn’t done before,” he explained.
That’s the beauty of the bug bounty, which Rice described as an evolution of information security — an industry that he painted as reliant on failed traditional approaches: the fallacy of “Let’s buy a bunch of security products, do some penetration tests and we’ll find all of the vulnerabilities and we’ll fix them,” he said.
“It is the ultimate test of ‘How will I stand up to a very wide range of diverse, skilled, simulated adversaries?’” Rice said. “That’s the mindset a company should be in before they engage in one of these programs. It’s not just another means for finding vulnerabilities. It’s a means for testing your actual security response capabilities. And there is far more value in that … it sets apart the great security teams from everybody else.”
“Hack the Pentagon” will continue until May 12.