White-hat hackers in the Defense Department’s monthlong Hack the Pentagon bug bounty program found 138 vulnerabilities that the department has since remediated — and now Defense Secretary Ash Carter wants to make the model a fixture within DOD.
Bug bounties are programs in which an organization, like a software company or in this case the Pentagon, pays independent cybersecurity researchers to find vulnerabilities on their systems. Carter said Friday that based on the success of this first pilot — both for the DOD and the federal government — he was “directing all DOD components to review where bug bounties can be used by them as a valuable tool in their own security toolkit.”
The Pentagon will also begin incentivizing its contractors to invest in their own independent security reviews like bug bounties before using a technology on a DOD system. “This will help them make their code more secure from the start and before it’s installed on our systems,” Carter said.
Of the 1,400 hackers invited to participate in the bug bounty, about 250 of them found at least one vulnerability, though not all were eligible for a bounty because they were already reported or for other reasons, Carter said. In total, the Pentagon received 1,189 reports from participants, the first one just 13 minutes after the program was launched midnight April 18.
Hackers were limited to searching for vulnerabilities on the Pentagon’s public-facing websites, and most commonly they found errors in cross-site scripting, information disclosure and cross-site request forgery, according to HackerOne, the company that operated the program for DOD.
Defense Digital Service Director Chris Lynch, who led the engagement, told reporters none of the vulnerabilities involved mission-critical systems.
“This test was not for those,” Lynch said. “This was our ability to start at the surface and look at what we’re doing there and see how we can use this as a lesson learned, even for things where we might not run a bounty but can apply the same learnings for really, really critical systems.”
Outside of the bounty program, Carter noted, it’s difficult for cyber researchers to report found DOD vulnerabilities. Hack the Pentagon, though, was an eye-opener to how much these hackers could help.
Therefore he also ordered the creation of “a central standing point of contact for researchers and technologists to safely and securely submit information about DOD security gaps that they come upon.”
Carter lauded Hack the Pentagon for its cost effectiveness, awarding $71,200 in bounties — in total the DOD set aside $150,000 for the pilot — at an average of $588 for discovering the 100-plus vulnerabilities, which he said otherwise probably would have cost more than $1 million to hire a contractor to find them — or worse, “finding out the hard way,” Carter said, alluding to an attack.
“Through this pilot we found a cost effective way to supplement and support what our dedicated people do every day to defend our systems and networks, and we’ve done it securely, and we’ve done it cost effectively in this case,” Carter said.
It also freed up DOD information security personnel up to fix problems rather than spend their time searching for them.
“By allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend time fixing them,” Carter said. “The pilot showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly.”
As a model of success, Hack the Pentagon could open doors for other federal agencies to try their hand at bug bounties. The General Services Administration 18F appears to be one of the first to follow DOD’s lead.
“We’ve done more with this pilot than make our networks more secure for the short term,” Carter said. “We’ve built relationships of trust for the long term. We’ve provided a roadmap for other government departments and agencies to crowdsource their own security.”