that are contractors to the government and the government itself clearly [have] vested interests in protecting their data and their sites,” he said. “I think this rein- forces their common protection.”
Berteau added that he couldn’t imag- ine a vendor not taking prompt action if it was notified about bugs in its systems because they often have contractual obli- gations to do so. Nevertheless, he said he would like to see DOD share the vulner- abilities discovered during bug bounties with the vendor community.
“I think transparency has to be a two-way street,” Berteau said. “I think there are some lessons to be learned and expanded upon, both from the company side and the government side. I think the statement is a very sound idea, but I think that it takes action by all parties to make it work.”
It’s a refrain echoed by many in the software industry, who are concerned that the National Security Agency and other federal agencies are undermining the public’s online security and privacy by stockpiling vulnerabilities to combat terrorists and child pornographers online and to engage in national security-related activities.
At DOD, however, it appears that offi- cials see bug bounty programs as an effi- cient way to go after low-hanging fruit — common vulnerabilities lurking in its millions of lines of code that probably shouldn’t have existed in the first place.
In the Aug. 9 request for proposals that led to the new contracts for bug bounty services, one of the requirements was that vendors be able to sort through and prioritize vulnerability reports within 48 hours of receipt.
That seems like an appropriate level of urgency. According to a September 2015 DOD memo, the Pentagon’s net- works were attacked 30 million times from September 2014 to June 2015.
“Less than 0.1 percent of the 30 mil- lion known malicious intrusions...com- promised a cyber system,” the memo states, but that still means hackers were able to break into DOD systems as many
as 30,000 times over a 10-month span. Furthermore, “the growing number of cyber intrusions across the department is costing tens of millions of dollars and thousands of man-hours to remediate,” the memo states. And about 80 percent of the incidents “can be traced to three factors: poor user practices, poor net- work and data management practices, and poor implementation of network
architecture.”
For example, what happens if white hat hackers find so many bugs in a project
that the assigned pot of bounty money is emptied before a designated challenge period ends?
After the Office of Personnel Manage- ment data breach, the entire federal gov- ernment saw the dangers of such short- falls. But another high-profile case — this one involving British hacker Lauri Love — illustrates how damaging it can be to leave vulnerabilities unfixed.
In indictments filed with district courts in New York, New Jersey and Virginia, the federal government charged that Love and his co-conspirators exploit- ed vulnerabilities in Adobe’s ColdFu- sion web application to steal informa- tion from databases at several federal
agencies, including the Army, the Missile Defense Agency, the Environmental Pro- tection Agency and NASA.
“The data stolen from the government victims included the personally identifi- able information of hundreds of thou- sands of individuals, including military servicemen and servicewomen and cur- rent and former employees of the federal government,” the indictment states. “The attacks collectively resulted in millions of dollars in damages to the government victims.”
Nevertheless, questions remain about bug bounty programs and the extent to which they can work well in the federal government. For example, what happens if white hat hackers find so many bugs in a project that the assigned pot of bounty money is emptied before a designated challenge period ends?
That was a question posed in a doc- ument attached to one of DOD’s RFPs for a bug bounty service. There was no clear answer from DOD officials, other than stating that the department would not consider a suspension of the chal- lenge under those circumstances as an incompletion of the task at hand as long as DOD program managers were fully aware of the rules and payout structures from the outset.
Despite such open questions, security experts agree that well-run bug bounty programs with vetted participants are a welcome addition to the existing port- folio of penetration testing and network monitoring programs that federal agen- cies currently use. For one thing, many traditional penetration testing companies have gotten sloppy, said John Pescatore, director of emerging security trends at the SANS Institute.
Craig Arendt, a security consultant at Stratum Security who participated in Hack the Pentagon, agreed. “Bug bounties can leverage a broad spec- trum of talented researcher experience that might not otherwise be available to government,” he said. And a well- run program “provides incentives that encourage responsible disclosure.” n
Nevertheless, questions remain about bug bounty programs and the extent to which they can work well in the federal government.
November/December 2016 FCW.COM 21