They Hacked the Pentagon! In March of this year, the Pentagon announced a bug bounty program called “Hack the Pentagon.” The idea was one private companies also use. In the Pentagon’s model, the “hackers” were invited, but the concept is the same: “white-hat hackers” are turned loose to attempt to compromise systems, networks, or software products. Those who are successful (and the first to identify a particular issue) receive a cash bounty.
The Pentagon program ran from April 18 to May 12. The 1400 invited “hackers” found a total of 138 vulnerabilities in US Department of Defense public facing websites. At a program cost of just $150,000, the Department judged it a success.
In fact, the Department is encouraging other DOD agencies to implement similar programs. Such programs have been around in the private sector since Netscape began the process over twenty years ago. The bounty programs are so popular that there is a site dedicated to them. As of this writing, they list 369 programs, 153 that offer bounties, 295 that offer acknowledgment of the submitted vulnerability and 12 that offer “swag”. The listings all point to appropriate pages at the companies’ sites.
Back in the early 1980s, I remember a local software company hiring college students to mess with their software and see if they could “break” it. Those students got paid by the hour, but the idea was similar.
I like the idea of the government using vetted security researchers (including a recent high school graduate, in the case of the DOD) to look for vulnerabilities. Face it, web page bugs are had to find. If they were easy, there wouldn’t be so many. A bounty program not only rewards testers, but it also means the sponsor can receive notices of what testers found immediately.
Of course, bounties can be applied in other places, too. They aren’t just for bugs. They could be used in code reviews to find issues, to find errors in documentation and so on. One Learning Tree author even offered a bounty to course participants who found errors in the notes for his programming class. For the record, none did. Where else might bounties work?
I’d like to commend Ash Carter for starting this program. I hope other agencies in the DOD and the government adopt similar programs. Additionally, I think it would be productive if someone actually taught how to find bugs. Maybe that should be my next proposal for a Learning Tree course.
To your safe computing,