Historically, the U.S. government has kept hackers at arm’s length, even if their intentions are benevolent. However, over the last 18 months, the Department of Defense (DoD) has run an expansive bug bounty program, which has apparently been a massive success.
In June 2015, it was discovered that the Office of Personnel Management had been subject to a massive hack, exposing the records of as many as 4 million individuals. In the wake of these revelations and other similar breaches, plans began to formulate for the DoD to investigate the potential of a bug bounty program.
The initial trial for “Hack the Pentagon” ran in 2016 from April 18 to May 12. A total of 138 unique, legitimate vulnerability reports were submitted over this period, prompting a total bounty payout of $75,000 in increments of between $100 and $15,000.
That November, the DoD also ran “Hack the Army” to tackle issues with websites facilitating army enrollment. Then, this May, “Hack the Air Force” sought to secure online assets pertaining to another branch of the military. The total payout of these programs has climbed to around $300,000.
These limited-time efforts were accompanied by an open-ended program dubbed the Vulnerabilities Disclosure Policy (VDP). This doesn’t award any bounties, but offers a legal method for individuals to flag issues with public-facing websites and web apps, which hadn’t previously been available. In just a year, 650 people have submitted a total of 3,000 legitimate vulnerabilities.
“The VDP has just really taken off and started providing value in a way that I don’t think anyone was anticipating when we first launched it,” said Alex Rice, CTO of HackerOne, the company that collaborated with the DoD on the program, in an interview with Wired. “It was some learning. DoD realized that…if someone was still working on something there was no legal channel for them to get it to the government.”
The bug bounty program and its associated initiatives account for only one part of a larger process – once these vulnerabilities are flagged, they still need to be addressed. According to HackerOne, the DoD has been able to establish infrastructure that allows for these problems to be resolved relatively quickly, compared to private companies that have run similar programs in the past.
The Computer Fraud and Abuse Act once made it difficult for hackers and other independent experts to raise issues with the U.S. government. These extensive bug bounty programs seem to indicate that there’s been a change of approach when it comes to this kind of activity. As most of the cybersecurity industry has understood for some time, malicious entities are constantly looking for new vulnerabilities to exploit, so there are distinct advantages to having hackers take stock of any potential weak spots.