What does General Motors, AT&T, IBM, Samsung, and Tesla all have in common? They offer bug bounty programs.
Bug bounty programs are a way for companies to offer recognition and compensation for security researchers and white-hat hackers to report bugs and vulnerabilities. These programs are not just for hip Silicon Valley technology companies, though many of them, such as Google, Microsoft, Facebook and Uber offer similar programs. In fact, there are over 600 such programs being offered. Noticeably missing from the list of companies that offer bug bounties is Apple.
On April 18, the Department of Defense will open a pilot bug bounty program dubbed "Hack the Pentagon." That also happens to be the same day as Paul Revere's famous ride, warning of the arrival of enemy soldiers. As a former ethical hacker at PwC and now CEO of a data security company, I understand the importance of testing your own systems for bugs and vulnerabilities before the bad guys are able to locate them and steal your sensitive data. In my years of testing systems, I've never come across one in which I was not able to find at least one severe issue that could lead to a compromise of sensitive information.
So why would the DoD open up such a program to non-DoD employees or contractors? In the department's words, "…to explore new approaches to its cybersecurity challenges, and evolve to adopt the best practices used by the most successful and secure software companies in the world." Missing from that statement is that such a program is also a way to recruit some of the world's most talented security experts. Over a decade ago the FBI would attend hacker conferences such as DEFCON — the world's largest hacker conference — to learn about the newest ways to defeat security systems. A game developed: Attendees of the conference were given a T-shirt if they could "spot the fed." Today the FBI and other government agencies openly attend DEFCON attempting to recruit security talent. It is no secret that there is a massive shortage of security talent and competing for such talent is difficult at best.
Crowdsourcing security has become a viable way for companies to assist in their security efforts — and so the DoD appears to be adding it to their list of security programs. Some companies choose to run their own bug bounty programs in-house while others have outsourced the program to companies that specialize in organizing programs, validating the incoming bugs and issuing rewards. Rewards can vary from simple recognition on a wall of fame to trinkets and t-shirts all the way up to cold hard cash. United Airlines paid one researcher 300,000 frequent flyer points, and Microsoft paid a $100,000 prize to researchers for finding a bug in its Windows operating system. The DoD has set aside for their program a pool of $150,000. Individual bounty payments will depend on a number of factors, such as the severity of the issue, the complexity of the bug and what type of sensitive data is vulnerable.
There has been a lot of talk surrounding whether or not the DoD should be doing this. As an American and, again, someone who is trusted to protect the sensitive data for hundreds of organizations, I welcome the move to evolve our government's data security practices.
A closer look reveals that the DoD has taken a measured approach, as that this is its first time offering bounties for security bugs. First, the program has some pretty strict rules regarding who can actually participate. This should not be confused with the fact that there are efforts every second of the day to steal sensitive data by an untold number of nefarious individuals, activists and rogue nation states. Those wanting to participate must register beforehand and have a U.S. Social Security number, taxpayer identification number or employee identification number. You must be eligible to work in the U.S. and cannot reside in a country currently under U.S. trade sanctions or be on the U.S. Department of the Treasury's Specially Designated Nationals list. In short, not just any run-of-the-mill bad guy or non-U.S. citizen. Equally important is the scope of the program: It is limited to Web applications. Attacking core infrastructure is strictly off limits. The complete list of targets will be made available as we approach the starting date of April 18 and the contest ends on May 12.
Bug bounty programs are a good way to find and fix issues early and ultimately adds another layer of protection to sensitive data. When properly managed and with a well-defined scope these programs have proven to be successful. The DoD has always classified their information and applied security controls based on the sensitivity of their data, but this decision to try such a program represents an evolution in their thinking about security — and one that other companies should pay close attention to.
Todd Feinman is the CEO of Identity Finder.