With the success of the Department of Defense Hack the Pentagon , defense officials are looking to expand the bug bounty program to more sensitive DoD networks and urged other federal agencies to do the same.
"The difference here is really the crowdsource model," according to Chris Lynch, director of the Defense Digital Service, a new team stood up within the DoD to bring in private-sector best practices like bug bounty programs. "The traditional infosec approaches are us working with contractors — we'll award a contract and those companies will provide a set of services just like anything else. This is a little bit different."
Using a crowdsource model, the DoD can bring in fresh ideas from civic-minded people willing to help the government find security holes for a relatively small amount of money — both for the government and the recipients.
Payouts for the bugs — the bounties — ranged from $100 to a high of $15,000 for one person that identified multiple security gaps. In total, the Pentagon spent $150,000 on the pilot, with about half going to bounties and the other half used to hire HackerOne to manage the program.
Approved hackers participating in the event were directed toward five public websites maintained by the DoD: defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mi.
Bug reports started coming in just 13 minutes after the bounty contest launched on April 18.
In total, 1,410 hackers submitted 1,189 vulnerability reports. After culling through the submissions, DDS and HackerOne whittled that down to 138 unique weaknesses in the DoD's public-facing websites.
Within a month of the contest's end, DoD staff had patched or otherwise remediated all 138 vulnerabilities.
Lynch said the DoD started with a few public websites to pilot the program.
"Security through obscurity is not a very good mechanism," he said during a June 17 roundtable with reporters. "If you walk the perimeter of the Pentagon, you can see the gate, you can touch the gate and if you realize there's a hole in the gate, we'd rather know. I think that's a great place to start."
With its success, Lynch said he hopes to expand it to more DoD systems, including potentially opening the contest to more secure internal networks, even if the hackers would need security clearance to do so.
"The reality is some things will require clearances," he said. "You could still do a crowdsource model with people who are no longer at a defense contractor or people who are no longer with the federal government if they still have an active clearance."
In the coming months, Lynch and the DDS team will be exploring ways to expand the bounty program to every level of the DoD, if possible.
"This was the first time this had ever been done by the federal government," Lynch noted, and the results were better than expected.
"We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that," Defense Secretary Ash Carter said. "What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer."