DoD embraces bug bounty programs in push to get ahead of cybersecurity vulnerabilities

Story

September 05, 2017

Officials at the Department of Defense (DoD) recently initiated several seemingly unorthodox programs in its multi-year campaign to secure their networks from adversaries. To date, the “Hack the Pentagon,” “Hack the Army,” and “Hack the Air Force” bounty programs have yielded over 450 valid vulnerabilities among them.

The Air Force’s Chief Information Office is sponsoring the latest event, “Hack the Air Force,“ as part of the Cyber Secure campaign. “Hack the Air Force,” says Marten Mickos, CEO of HackerOne in San Francisco, is a bug bounty program that “falls within a broader contract with the Department of Defense, under which HackerOne will orchestrate hacker programs where we look for system vulnerabilities and report them to the agency in question so that they can fix those software bugs and thereby prevent criminals and adversaries from breaking into their systems.”

The cybersecurity joint effort started about “one and a half years ago with ‘Hack the Pentagon,’ followed by ‘Hack the Army’ and the latest one, ‘Hack the Air Force,’ which we conducted in June of 2017,” he adds.

The end results of “Hack the Air Force” found “a total of 207 valid vulnerabilities and out of those 207, nine were deemed critical or of high severity,” Mickos says.

“Hack the Pentagon” found 138 unique and valid vulnerabilities, while “Hack the Army” found 118; according to DoD officials, all vulnerabilities have been resolved.

These unconventional programs show that the DoD is no longer waiting to solve its cybersecurity issues, but are instead proactively making sure their systems are secure. “Many times, in society, we believe that the government is lagging behind a bit and moving slower than the private sector, but with ‘Hack the Pentagon,’ the DoD is actually one of the pioneers of the whole industry,” Mickos says. “They are doing more than many, many corporations in the business sector. I think it’s a particular source of pride to see that the Pentagon was first out and did the first bug bounty program in the history of the federal government.”

The programs are stringently monitored. Mickos explains that HackerOne staff take the reports and review them to determine if they are valid or not. “You get a relatively high number of reports in total, and then some portion of those are deemed valid. By valid, we also mean nonduplicates, because sometimes two separate hackers will find the same problem and then we record the first one that reported it.”

What may not be considered valid are vulnerabilities that are not a “weakness of the system, or they misunderstand the severity of it; maybe it is a true bug but it’s not so important or severe that it would have any meaning,” he adds.

The increase in vulnerability finds with the Air Force initiative may be due to the fact that the program broadened its participation to include partner nations. The inclusion of other nations led to a “total of 272 eligible and background-checked vetted hackers who participated, with 33 of them coming from the U.K., Canada, New Zealand, and Australia,” Mickos says.

From within this pool of talent emerged a 17-year old who, according to Mickos, was the “best-performing hacker in ‘Hack the Air Force.’” He submitted 30 valid reports and earned the largest bounty sum during the term of the challenge.

With participants coming from all over the world, HackerOne had already started a community of white-hat hackers that will continue to find vulnerabilities within DoD systems. These vetted hackers maintain a reputation score with HackerOne in order to “make sure that they have a good level of skill,” Mickos notes. “They need to have shown that they know how to hack and that they are professional. Even though technically they are amateurs, they are so good that they can find the really valuable vulnerabilities and report them well.”

It’s a pretty genius and benevolent way to ensure that security is kept at its peak; the reputation points then become bragging rights in the hacker community. This friendly competition leads to more secure systems. The beauty of it? “They are all trying to be the best,” Mickos says. (View the HackerOne leaderboard at https://hackerone.com/leaderboard/all-time.)

To continue this effort, Mickos points out that the DoD also has a continuous program called the “DoD Vulnerability Disclosure Program,” where anybody can report anything at any time. While the hackers don’t get paid actual cash bounties for finds under the vulnerability disclosure program, that’s where those bragging rights come into play. Moreover, for those looking to increase their skills, this approach is a great way to do it.

Although there is no “Hack the Navy” officially in the works, HackerOne is “under a multiyear contract with the DoD to do many, many challenges,” Mickos says. “You could say that HackerOne stands ready to do them whenever the DoD wants to do them, and we’ll see what the next one is, but I’m sure there’ll be a ‘next one’ pretty soon.”