Pentagon Bug Bounty Contest Uncovers at Least 100 Vulnerabilities

More than 1,400 hackers signed up to hammer at the U.S. Department of Defense's computer systems in search of security flaws during a 24-day pilot program.

Pentagon Bug Bounty

The U.S. Department of Defense finally revealed how its systems fared in a $150,000 bug-finding contest, where vetted hackers were given rewards for finding significant vulnerabilities.

On June 10, Defense Secretary Ash Carter told attendees at the Defense One Tech Summit that more than 1,400 security specialists applied to take part in the "Hack the Pentagon" program. Hackers that passed background checks and then participated in the contest found more than 100 security flaws, he said.

"It's again exceeded all of our expectations," Carter said in the published text of his speech. "They're helping us to be more secure at a fraction of the cost, and in a way that enlists the brilliance of the white hatters" rather than waiting to learn the lessons of the black hatters, Carter said in his published comments.

The 24-day Hack the Pentagon program, managed by bug-bounty program management firm HackerOne, ended on May 12, according to the Department of Defense. The U.S. military agency set aside $150,000 for the program, including bounties, which HackerOne was scheduled to pay out by June 10.

The Pentagon quickly added more researchers to its program. Less than halfway into the program, 500 researchers had signed up—a number that quickly grew to 1,400, a spokesperson for HackerOne said. The company declined to specify how much prize money had been paid out in the contest.

HackerOne declined to immediately provide more information on the severity and types of vulnerabilities, but promised to deliver more details later this week. The company did say that the Department of Defense's openness about the effort contributed greatly to its popularity.

"The Pentagon was incredibly transparent by publicly announcing this pilot program," Marten Mickos, CEO of HackerOne, said in an e-mail interview. "Most pilots happen behind close doors when they first launch. This transparency directly contributed to their success. They were able to recruit more hackers and therefore found more vulnerabilities."

HackerOne did not reveal the average number of bugs typically found during such a program, but Mickos' comments—and those of Secretary Carter—suggested that the hackers did well in discovering 100 security issues.

While the Pentagon made its bug bounty program public, most companies and organizations continue to keep their programs private. Nearly 63 percent of the programs managed by bug-bounty management firm Bugcrowd have involved private contracts, according to the company's State of the Bug Bounty 2016 report.

While bug bounties started out small—the average payout in 2014 was $201—they have risen quickly, increasing to $295 in 2015 and to $506 in the first quarter of 2016.

A survey of customers conducted as part of the report found that the primary reasons that companies use bug-bounty programs are to benefit from the diversity of creative testing methods, to only pay for positive results and to tap into a large volume of testers.

The Department of Defense has argued that such programs are a way to make good on the Cyber National Action Plan, a strategy document announced Feb. 9. The document mandates that the government prioritize immediate actions that improve the nation’s network defenses.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...