While it might seem counterintuitive, the U.S. Department of Defense has been actively encouraging hackers to hack the Pentagon since 2016, in an effort to identify software vulnerabilities.
On Oct. 24, the DoD announced an expansion of its bug bounty efforts, awarding contracts to three managed bug bounty vendors: HackerOne, Synack and Bugcrowd. HackerOne and Synack had been part of an October 2016 contract with the DoD for bug bounties, which is now being renewed and extended to bring Bugcrowd into the program.
“The contract is an IDIQ [Indefinite Duration Indefinite Quantity], which is a vehicle government agencies use to accelerate the engagement of emerging technologies across different departments,” Casey Ellis, founder and CTO of Bugcrowd, told eWEEK. “The DDS [Defense Digital Service] team has done a phenomenal job of evangelizing the concept within the DoD, and the pipeline of work is already starting to fill.”
With a bug bounty program, an organization rewards security researchers for privately disclosing software vulnerabilities. The DoD has been running multiple bug bounty efforts since 2016, including Hack The Pentagon, Hack the Air Force, Hack the Marines and Hack the Army, among other efforts. The Hack the Air Force 2.0 bounty in February, for example, was a 20-day challenge in which 106 vulnerabilities were disclosed and patched. The DoD paid out $103,883 in awards to security researchers as part of the effort. Hack the Air Force was run by HackerOne, which has also operated the Hack the Army and Hack the Marines efforts.
There are two portions of the Hack the Pentagon contract, according to HackerOne CEO Mårten Mickos. Functional Area 1 (FA1) is what HackerOne was originally selected for. FA1 relates to public-facing assets, like the programs HackerOne has done with the Army, Air Force, Defense Travel System and Marine Corps.
“We’ve done six challenges related to public-facing assets and will continue with more in the future,” Mickos told eWEEK. “Functional Area 2 [FA2] is the second portion of the Hack the Pentagon contract, which is new to HackerOne and what we’re announcing today. It’s related to government assets that aren’t in the public domain.”
While HackerOne has been managing programs against public-facing assets, Synack has been running a private, managed Hack the Pentagon program.
“We have conducted a variety of crowdsourced security programs for the sensitive, internal systems of military services and DoD agencies, including the USAF and Army,” Jay Kaplan, CEO and founder of Synack, told eWEEK. “Given the sensitive nature of what we do, including simulating classified systems in simulated, unclassified environments, most program details are private.”
Kaplan said the program expansion will build capacity to help meet the growing demand by DoD components to tap into new perspectives through crowdsourced security. He added that the new features of the program will enable DoD components to run continuous, yearlong assessments of high-value assets. Additionally, Kaplan noted that the expanded program will also allow the DoD to run assessments on a broader range of assets such as hardware and physical systems.
The addition of Bugcrowd into the DoD bug bounty contract is seen by Ellis as recognition of his company’s traction in the market over the last two years.
“A lot has happened over the last two years in terms of Bugcrowd’s traction in the market, including success with more traditional and specialist clients and a continuous focus on increasing the strength and value of both our platform and our other set of customers: the white-hat hackers,” Ellis said. “The DoD has observed this progress during that time, and we’re both very excited to have Bugcrowd join the ‘Hack The Pentagon’ program.”
Ellis said that while Bugcrowd is known as a bug bounty company, the work his company will be doing for the DoD is no different from the much quieter “crowdsourced security” side of his business, which now accounts for almost 85 percent of what Bugcrowd does. The crowdsourced side of the Bugcrowd business is all about privately delivered, highly vetted and trusted, crowdsourced security testing.
“The most exciting part of the award for us is that this is already the majority of what we do as a business, and it multiplies the opportunity for the hackers in our community,” Ellis said.
The fact that the DoD is continuing to expand and benefit from bug bounty and crowdsourced security efforts is seen by the vendors as a case study that commercial enterprise would be well-advised to learn from. Ellis commented that if an agency as large, critical and well-established as the DoD can understand the power of the crowdsourced model then the enterprise can too, and many already have.
“The main barrier to organizations reaping the benefit of better hacker feedback is the misperception that hackers are inherently evil,” Ellis said. “The extension of the Hack The Pentagon program drives home the message that hackers are the locksmiths of the internet, not the burglars. Enterprise can learn a lot from that.”
According to Kaplan, crowdsourced security is highly effective for testing the full spectrum of digital assets, from public-facing to internal systems. However, Kaplan said that crowdsourced security should be approached in the right way with robust control given to the customer, including a platform to harness the intelligence and findings from testing, and processes in place to help scale security operations, not burden teams.
“Also, don’t wait until late in the development cycle to do a crowdsourced security test,” Kaplan advised. “In our program with the DoD, the DoD conducted crowdsourced security tests on systems in development that helped catch vulnerabilities before they were deployed and could have a negative impact.”
For Mickos, the lesson that the DoD has learned is clear, and it’s one that enterprises of all sizes should learn as well.
“The Hack the Pentagon program has taught us that no one is immune to vulnerabilities,” he said.
Mickos added that government organizations house some of the most secure defense systems in the world and are frequently targeted by adversaries. Yet, hackers have still been able to surface over 5,000 valid vulnerabilities to the DoD.
“There is always something to be found whether in the public or private sector,” Mickos said. “At this point, not having a vulnerability disclosure program is negligent.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.