DOD bug bounty programs pay off
- By Mark Rockwell
- Mar 31, 2017
The Defense Department’s Hack the Pentagon program has delivered some serious ROI. The 2015 pilot found more bugs faster that -- and for a fraction of the cost of -- commercial penetration testing, a DOD digital service expert said.
In last year's bounty program, 1,300 hackers found 165 problems -- some "high risk" -- in five public-facing DOD websites. DOD paid out $150,000 in bounties, the Pentagon's Hunter Price said at a March 30 meeting of the Information Security and Privacy Advisory Board.
Contractors who had previously tested the websites found 10 low-risk vulnerabilities. That result of the hacking pilot, he said, was "1,000 percent" return on investment, he said.
Getting the best hackers to participate, however, can mean casting a wide net that can include hackers who have some legal baggage, he said.
Although participants in the 2015 Hack the Army and Hack the Pentagon pilots underwent background checks, the DOD has had to accept some risk.
Intense scrutiny, Price said, "can scare off talent" that may be able to find more insidious system weaknesses. DOD weeded out some hackers from the programs "who we didn't want to pay for PR reasons," he said.
The General Services Administration is more welcoming to bug bounty participants -- and more lenient when it comes to background checks for participants, said Eric Mill, senior advisor for the Technology Transformation Service.
"We want to get a variety of people. I have no problem paying a teenager from Russia if they can improve our system," Mill said.
The GSA, Mill said, isn't developing its bug bounty program for other agencies, only for itself. The scope of the program, Mill said, could cover bigger, critical GSA services such as Cloud.gov and the shared service identity management tool Login.gov.
Although GSA’s bug bounty program won’t cover other federal agencies, some ISPAB board members wondered how it could be adapted as a shared service for all of government.
"It's possible," said Mill, but any future bug bounty shared service would have to "understand how decentralized" agencies can be and one-size-fits-all approaches could complicate such an effort.
This article was first posted to FCW, a sister site to GCN.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at email@example.com or follow him on Twitter at @MRockwell4.