It took a cohort of freelance hackers just 13 minutes to break into Pentagon websites, said Mårten Mickos, CEO of Silicon Valley-based bug bounty firm HackerOne, in a Reddit AMA on Thursday.
As part of a larger penetration test aimed at a controlled section of the Pentagon’s IT infrastructure, Mickos’ company was responsible for deploying a team of hackers — operating from April 18 to May 12 — to find and disclosure cybersecurity vulnerabilities. This effort represented the first ever bug bounty program employed by the Defense Department.
Since its conclusion, the “Hack the Pentagon” project has been hailed by lawmakers on Capitol Hill and DOD leaders as a success — exemplifying what Secretary of Defense Ash Carter described as a creative and fiscally responsible solution to a growing security concern.
HackerOne’s platform works by attracting freelance hackers to something similar to a job board forum, where available work is listed alongside further details. The company will manage and oversee both the focused hacking and subsequent disclosure process inherent in every operation. Each client decides their own payout structure, dependent on a variety of factors, including the class and complexity of vulnerability discovered.
Nearly 140 unknown vulnerabilities were found during the Pentagon pilot program, yielding payouts of anywhere between $100 to $15,000 for 117 participating white hat hackers. On Thursday, Mickos and his team took to Reddit to answer questions about their company, mission and past experiences.
On what happens when a zero day disclosure affect more than one company:
“Ethical is not a set of rules or best practices, it’s an internal thing, and looks very different from one person to the next … What I’d do is report it to where it can be centrally fixed, and once a patch is available, report it where it hasn’t been patched yet. This might not be an approach optimized for bounties, since many of the companies will have been notified somehow and mark it as a dupe, but this approach considers the ecosystem which is valuing improved security,” wrote Ryan McGeehan, a HackerOne founding adviser.
On if any of their customers have ever been totally secure:
“We have never had a customer without vulnerabilities or that we’ve failed to hack … The reality is that all software contains bugs, and all production systems contain vulnerabilities. Our community always finds some of them,” Mickos responded to one Reddit user.
On keeping a balance between available hackers and companies willing to participate in bounty programs:
“We need enough hackers to offer a good service to our customers, but we also need enough bounty-paying customers to make the pursuit worthwhile for the hackers. We put a lot of work into finding and signing up customers and we currently have about 600 programs running. We have paid out about $10 million in bounties so far, so we feel we have a great balance,” Mickos said.
On how much money bug hunters make:
“The average bounty on the platform is around $500. Depending on how much time you invest, you will either find tens or hundreds of bugs on an annual basis. While the top hackers [can] easily take home [six] figures, the community consists of mostly casual hackers who have day jobs. This category — roughly 50 percent — makes around $20K or less. The next biggest group is anywhere between $20K and $35K. Around 6 percent of the community takes home 6 figures or more,” answered Michiel Prins, HackerOne co-founder.
On the safety and privacy measures taken as part of the bug bounty process: