The Pentagon’s bug bounty program hit its midway point this past week, and already the initiative is, in some ways, a success. More than 500 security researchers and hackers have undergone background checks and begun to take part in the search for security flaws, according to HackerOne, the company managing the program.
The “Hack the Pentagon” pilot, announced in March, is the first federal government program to use a private-sector crowdsourcing service to facilitate the search for security flaws in government systems.
The $150,000 program started two weeks ago and will continue for another two weeks. While neither the Pentagon nor HackerOne has disclosed any of the results so far, Alex Rice, chief technology officer and co-founder of vulnerability-program management service HackerOne, stressed that it would be “an extreme statistical outlier” if none of the researchers found a significant vulnerability.
“What I can say is that we haven’t seen any of [these programs] launched, even those with a smaller number of individuals, where the researchers have found nothing,” he told eWEEK. “No one who launches these bounty programs expects to find nothing.”
The Pentagon’s program is the first bug bounty effort sponsored by the federal government, but it will not likely be the last, because companies and government agencies are on the wrong side of an unequal security equation: While defenders have to hire enough security workers to find and close every security hole in their software and systems, attackers only have to find one, said Casey Ellis, CEO and founder of BugCrowd, a vulnerability-bounty organizer.
“The government is in a really bad position right now, which comes from being outnumbered by the adversaries,” he said. “They can’t hire security experts fast enough, and in the meantime they are still being hacked.”
Crowdsourcing some aspects of their security work offsets part of the inequality in the math facing these companies, he said.
The Department of Defense program, however, is on a much larger scale than most initial commercial efforts, HackerOne’s Rice said. Other efforts typically use dozens of security researchers, rather than hundreds.
The Pentagon should get good results because the sheer number of hackers means they will have more coverage of potential vulnerabilities.
“Even hiring the best security experts that you are able to find, that will still be a much smaller pool than if you could ask everyone in the world, or in the country,” Rice said. “You really can’t do security effectively unless you come at it from every possible angle.”
U.S. Secretary of Defense Ash Carter characterized the initiative as a way for the government to take new approaches to blunt the attacks targeted at the agency’s networks.
“I am always challenging our people to think outside the five-sided box that is the Pentagon,” he said in a statement at the time. “Inviting responsible hackers to test our cyber-security certainly meets that test.”
The bug bounty pilot started on April 18 and will end by May 12, according to the Department of Defense. HackerOne is slated to pay out bounties to winners no later than June 10. The Department of Defense has earmarked $150,000 for the program.
The DOD called the initiative a step toward implementing the administration’s Cyber National Action Plan, a strategy document announced Feb. 9 and which calls for the government to put a priority on immediate actions that bolster the defenses of the nation’s networks. The program is being run by the DOD’s Defense Digital Service, which Carter launched in November 2015.
While finding and fixing vulnerabilities is important, the program could also create a potential pipeline to recruit knowledgeable security workers into open positions in the federal government, Monzy Merza, director of cyber research at data-analysis firm Splunk, said in an email interview.
“Discovery and fixing of vulnerabilities is a good thing,” he said. “Creating an opportunity for individuals to test their skills and learn is also important. And there is a general shortage of skilled security professionals. Putting all these pieces together, a bug bounty program creates opportunities for people to learn and creates a human resource pool in a highly constrained market.”
While attacking government systems may thrill some hackers and make others too nervous to participate, the actual program differs little from the closed bug hunts sponsored by companies, HackerOne’s Rice said.
The security firm’s programs—and other efforts by BugCrowd and TippingPoint’s Zero-Day Initiative, now part of security firm Trend Micro—vet security researchers and hackers to some extent before allowing them to conduct attacks on corporate services and Websites, especially production sites. In the Pentagon’s case, more extensive background checks were conducted.
In the end, the programs allow companies to spend money on security more efficiently, only paying for results, not just hard-to-find workers, he said.
“Companies are not insecure because of a lack of money to spend on security,” Rice said. “There is a ridiculous amount of money being inefficiently and ineffectively spent on security. Even if we could hire all the security experts in our town or in our field, we could not possibly level the playing field against the adversaries.”