Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    US Department of Defense Expands Bug Bounty Efforts

    By
    Sean Michael Kerner
    -
    October 24, 2018
    Share
    Facebook
    Twitter
    Linkedin
      bug bounty vendors

      While it might seem counterintuitive, the U.S. Department of Defense has been actively encouraging hackers to hack the Pentagon since 2016, in an effort to identify software vulnerabilities.

      On Oct. 24, the DoD announced an expansion of its bug bounty efforts, awarding contracts to three managed bug bounty vendors: HackerOne, Synack and Bugcrowd.  HackerOne and Synack had been part of an October 2016 contract with the DoD for bug bounties, which is now being renewed and extended to bring Bugcrowd into the program.

      “The contract is an IDIQ [Indefinite Duration Indefinite Quantity], which is a vehicle government agencies use to accelerate the engagement of emerging technologies across different departments,” Casey Ellis, founder and CTO of Bugcrowd, told eWEEK. “The DDS [Defense Digital Service] team has done a phenomenal job of evangelizing the concept within the DoD, and the pipeline of work is already starting to fill.”

      With a bug bounty program, an organization rewards security researchers for privately disclosing software vulnerabilities. The DoD has been running multiple bug bounty efforts since 2016, including Hack The Pentagon, Hack the Air Force, Hack the Marines and Hack the Army, among other efforts. The Hack the Air Force 2.0  bounty in February, for example, was a 20-day challenge in which 106 vulnerabilities were disclosed and patched. The DoD paid out $103,883 in awards to security researchers as part of the effort. Hack the Air Force was run by HackerOne, which has also operated the Hack the Army and Hack the Marines efforts.

      There are two portions of the Hack the Pentagon contract, according to HackerOne CEO Mårten Mickos. Functional Area 1 (FA1) is what HackerOne was originally selected for. FA1 relates to public-facing assets, like the programs HackerOne has done with the Army, Air Force, Defense Travel System and Marine Corps. 

      “We’ve done six challenges related to public-facing assets and will continue with more in the future,” Mickos told eWEEK. “Functional Area 2 [FA2] is the second portion of the Hack the Pentagon contract, which is new to HackerOne and what we’re announcing today. It’s related to government assets that aren’t in the public domain.”

      Synack

      While HackerOne has been managing programs against public-facing assets, Synack has been running a private, managed Hack the Pentagon program.

      “We have conducted a variety of crowdsourced security programs for the sensitive, internal systems of military services and DoD agencies, including the USAF and Army,” Jay Kaplan, CEO and founder of Synack, told eWEEK. “Given the sensitive nature of what we do, including simulating classified systems in simulated, unclassified environments, most program details are private.”

      Kaplan said the program expansion will build capacity to help meet the growing demand by DoD components to tap into new perspectives through crowdsourced security. He added that the new features of the program will enable DoD components to run continuous, yearlong assessments of high-value assets. Additionally, Kaplan noted that the expanded program will also allow the DoD to run assessments on a broader range of assets such as hardware and physical systems.

      Bugcrowd

      The addition of Bugcrowd into the DoD bug bounty contract is seen by Ellis as recognition of his company’s traction in the market over the last two years.

      “A lot has happened over the last two years in terms of Bugcrowd’s traction in the market, including success with more traditional and specialist clients and a continuous focus on increasing the strength and value of both our platform and our other set of customers: the white-hat hackers,” Ellis said. “The DoD has observed this progress during that time, and we’re both very excited to have Bugcrowd join the ‘Hack The Pentagon’ program.”

      Ellis said that while Bugcrowd is known as a bug bounty company, the work his company will be doing for the DoD is no different from the much quieter “crowdsourced security” side of his business, which now accounts for almost 85 percent of what Bugcrowd does. The crowdsourced side of the Bugcrowd business is all about privately delivered, highly vetted and trusted, crowdsourced security testing.

      “The most exciting part of the award for us is that this is already the majority of what we do as a business, and it multiplies the opportunity for the hackers in our community,” Ellis said.

      What Enterprise Can Learn 

      The fact that the DoD is continuing to expand and benefit from bug bounty and crowdsourced security efforts is seen by the vendors as a case study that commercial enterprise would be well-advised to learn from. Ellis commented that if an agency as large, critical and well-established as the DoD can understand the power of the crowdsourced model then the enterprise can too, and many already have. 

      “The main barrier to organizations reaping the benefit of better hacker feedback is the misperception that hackers are inherently evil,” Ellis said. “The extension of the Hack The Pentagon program drives home the message that hackers are the locksmiths of the internet, not the burglars. Enterprise can learn a lot from that.”

      According to Kaplan, crowdsourced security is highly effective for testing the full spectrum of digital assets, from public-facing to internal systems. However, Kaplan said that crowdsourced security should be approached in the right way with robust control given to the customer, including a platform to harness the intelligence and findings from testing, and processes in place to help scale security operations, not burden teams.

      “Also, don’t wait until late in the development cycle to do a crowdsourced security test,” Kaplan advised. “In our program with the DoD, the DoD conducted crowdsourced security tests on systems in development that helped catch vulnerabilities before they were deployed and could have a negative impact.”

      For Mickos, the lesson that the DoD has learned is clear, and it’s one that enterprises of all sizes should learn as well.

      “The Hack the Pentagon program has taught us that no one is immune to vulnerabilities,” he said.

      Mickos added that government organizations house some of the most secure defense systems in the world and are frequently targeted by adversaries. Yet, hackers have still been able to surface over 5,000 valid vulnerabilities to the DoD. 

      “There is always something to be found whether in the public or private sector,” Mickos said. “At this point, not having a vulnerability disclosure program is negligent.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×