Cybersecurity
In its pilot bug bounty program, DOD worked with HackerOne to have more than 1,400 security researchers explore five media-related DOD websites looking for security problems.
ing in DOD’s pilot “Hack the Pentagon” bug bounty program, which invited vetted members of the public to rum- mage around five media-related DOD websites with the goal of uncovering security problems.
Beginning April 18, DOD asked 1,410 security researchers who had registered for the challenge on the HackerOne plat- form to find vulnerabilities at defense. gov, dodlive.mil, dvidshub.net, myafn. net and dimoc.mil.
DOD officials spelled out the terms and conditions under which the activi- ties could be conducted and explicitly stated that hackers would not be pros- ecuted if they stayed within the given parameters.
Bounty hunters would be awarded cash amounts based on the severity of the bugs they found. Litchfield won the top payout of $15,000. The lowest amount awarded was $100.
Defense Secretary Ash Carter declared the program a success: Ulti- mately, 252 hackers submitted at least one vulnerability each, and 117 received
payouts. The Pentagon promptly fixed all the uncovered bugs.
“Through this pilot, we found a cost-effective way to supplement and support what our dedicated people do every day to defend our systems and networks, and we’ve done it securely, and we’ve done it effectively,” Carter said at a June event announcing the results of the program.
It went so well that DOD asked its IT managers to examine all the other areas that could benefit from a bug bounty security checkup. Officials also plan to change DOD contracts to require ven- dors to submit their products to bug bounty security checks in some instanc- es. And officials will issue a responsible bug disclosure policy to enable security researchers to report bugs without fear of prosecution.
In addition, DOD announced on Oct. 20 that it had contracted with Hack- erOne, a bug bounty management com- pany, and Synack, a firm that provides crowdsourced security testing and intel- ligence, to enable DOD components to
easily launch their own versions of Hack the Pentagon-style challenges.
All in all, it’s a huge pivot for DOD’s top-down culture. And as the pilot pro- gram made clear, Defense agencies will have to change further so that bug boun- ties will successfully scale.
A bounty of work
Crowdsourcing a security checkup sounds fairly straightforward, but two of the architects of DOD’s program said a lot of organizational work is involved.
“It’s not just a matter of throwing up an email online and seeing what hap- pens,” said Katie Moussouris, founder and CEO of Luta Security. She created Microsoft’s first bug bounty program and helped set up DOD’s Hack the Pentagon program. “You have to pre- pare, and most organizations are not prepared.”
Agencies must consider the resourc- es they have before they embark on a similar program, said Lisa Wiswell, the Defense Digital Service’s digital secu- rity lead.
Those with mission-critical public- facing websites should consider adding bug bounty programs to their existing security and penetration testing proce- dures, but they should also consider hir- ing a contractor to manage the process. Among other things, that approach frees up internal technology staffers to focus on squashing the bugs.
For example, DOD received 1,189 bug reports in the Hack the Pentagon pilot, of which only 138 qualified for payouts. Someone had to cull through those reports and verify which ones were valid and which were duplicates.
“The amount of work that people would have had to do to cull through that, to make sure that those reports were robust and to make sure that we could act on them would have created more [of a problematic workload] than would have helped,” Wiswell said. “By paying a contractor, you’ve outsourced a tremendous amount of the work, and you’ve allowed the people who know
18 November/December 2016 FCW.COM