DOD sees the benefits of running a long-term bug bounty

Oct 21, 2016 16:05 GMT  ·  By

The US Department of Defense (DOD) announced yesterday plans to continue a pilot program called "Hack the Pentagon," which it ran this spring and allowed external security researchers to probe DOD infrastructure for security flaws.

The program, which was handled via the HackerOne bug bounty platform, was a tremendous success and helped the DOD fix 138 security flaws, while researchers earned $150,000 for their work.

In June, when the initial pilot program concluded, the DoD DDS (Defense Digital Service) announced plans to launch three more bug bounty programs.

In an announcement published today, DOD officials said they decided to make the Hack the Pentagon bug bounty program a mainstay, and announced contracts with HackerOne and Synack to manage upcoming bug bounty editions.

Hack the Pentagon to remain a private bug bounty program

The two companies will select vetted groups of researchers to work on pen-testing the DOD's infrastructure.

"[T]he DoD will leverage Synack’s private, managed approach to running a crowdsourced security testing program for the DoD’s most critical and highly sensitive IT assets," said Jay Kaplan, Synack CEO.

Based on public statements, DOD officials also seem to be very pleased with how the initial Hack the Pentagon bug bounty went, and are actually interested in outsourcing more of their security tasks to third parties.

"Frankly, if I had it my way, we would do a bug bounty across .gov and the program office in charge of the source code would reimburse the bug bounty pool once a bug is discovered," said Greg Touhill, US Chief Information Security Office.

DOD will encourage contractors to use bug bounty programs as well

Defense Secretary Ash Carter also says that the new Hack the Pentagon editions won't strictly target DOD infrastructure alone.

"We’re going to include incentives in our acquisition guidance and policies so that contractors who work on DoD systems can also take advantage of innovative approaches to cybersecurity testing," Carter explained.

"For example, in some circumstances, we will encourage contractors to make their technologies available for independent security reviews where bug bounties before they deliver them to us. This will help them make their code more secure from the start, and before it’s installed on our system," Carter said.

In fact, Carter seems to be completely sold on the idea of bug bounty programs overall, and hopes other state departments will also jump on board. "We’ve provided a road map for other government departments and agencies to crowd-source their own security," he said.

Asking contractors to submit DOD-contracted services and software to bug bounty programs, and urging other state departments to use bug hunters, represents a total shift from how Pentagon officials viewed security a decade ago when everything was sealed airtight to avoid leaks.

Public incidents like the OPM hack have forced US officials to change their stance on cyber-security and the procedures needed to boost the security of crucial systems.

Hack the Pentagon criticism

But the Hack the Pentagon pilot has also had its detractors. For starters, many have complained that only a selected few get invited to participate. Ilia Kolochenko, founder and CEO of security firm High-Tech Bridge, explains why the DOD took this approach.

"Few crowd security testing companies perform a reliable and comprehensive due-diligence on their researchers, opening doors to Black Hats trying to hide among White Hat researchers and get access to private bug bounty programs," Kolochenko says. "Therefore, DoD['s] decision to reasonably limit the scope of their crowd security testing program seems to be well-though and justified."

This also explains why the DOD limited bug hunting only to a few DOD systems, and not its entire infrastructure, another point of contention for critics. Detractors have come down on the Pentagon's decision to only allow bug hunters on a few, Internet-available systems, and not more critical infrastructure.

While Carter didn't provide any details on what exactly will be included in future Hack the Pentagon endeavors, as the DOD tests its outer systems, bug hunters will most likely be granted access to more sensitive networks, as the proper credentials and permissions are granted.

"Being a good complement for existing security testing processes, bug bounties have some clear limits," Kolochenko also adds. "Any security testing program shall be proportional to the expected usage of the system in production: for example, a private e-banking portal shall not be tested with a bounty, while a globally open Forex trading platform can leverage the skills of the crowd."

What Kolochenko is trying to say is that, despite all the program's critics, an open, public bug bounty program may not have been the smartest decision.

It made sense for the Pentagon to test outer systems via a test pilot program with first-time security researchers, just like now it makes sense to award contracts to vetted security firms to continue this work on other more sensitive systems with a limited set of proven specialists.