The Defense Department received at least one vulnerability report from more than 250 ethical hackers who took part in the department’s bug bounty program that occurred from April 18 to May 12, DoD News reported Friday. He ended up submitting six vulnerabilities, but they all were reported by other hackers also.
Advertisement
Outside of the bounty program, Carter noted, it’s hard for cyber researchers to report found DOD vulnerabilities.
The pilot program cost $150,000, including about $75,000 in reward prizes.
Defense officials said they were sufficiently encouraged by the pilot that they now want to extend the concept of “crowdsourced” cybersecurity beyond DoD’s top-level public web pages. Hack the Pentagon, though, was an eye-opener to how much these hackers could help.
“What we didn’t fully appreciate before this pilot was how many white-hat hackers there are”.
White-hat hackers in the Defense Department’s monthlong Hack the Pentagon bug bounty program found 138 vulnerabilities that the department has since remediated – and now Defense Secretary Ash Carter wants to make the model a fixture within DOD.
Back in March, the US’s Department of Defense launched a “Hack the Pentagon” campaign to get hackers to test their websites and security networks for vulnerabilities, without the threat of jail time. None of the Department’s critical networks were part of the competition. This is the thought process other companies should be adopting; bug bounty programs are beneficial to companies. In total, the pilot discovered and reported 138 “legitimate and unique” vulnerabilities.
Defense Media Activity quickly worked to remediate each of these vulnerabilities. Hiring an outside contractor to conduct a similar security test could have cost more than $1 million.
“[Arendt] is a prolific security researcher who helped us identify a number of vulnerabilities and [Dworken] is a high school student who lives right here in the Washington area”.
David stated, “It was a great experience”.
“Even without a bounty, these things are still, personally for me, incredibly rewarding”, he said.
The pilot marks the first in a series of programs created to test and find vulnerabilities in the department’s applications, websites and networks.
Advertisement
In the coming months, Lynch and the DDS team will be exploring ways to expand the bounty program to every level of the DoD, if possible.
