DoD officials announce the program’s final results live in Washington, D.C., while researchers plot how to spend their freshly-earned bounties.
The Hack the Pentagon program turned out to have extra benefits for security researcher Jesse Clark, one of the 1410 hackers who tried to tunnel through the Department of Defense’s digital walls in April and May.
“I wanted to participate purely for the bragging rights,” he said.
He got those bragging rights, and more. The software developer at Ecliptic Technologies in Fargo, North Dakota ended up turning in 15 bug reports in the federal government’s first ever bug bounty program, where hackers competed to find vulnerabilities in the Department of Defense systems and earn rewards.
Ten of the reports turned out to be duplicates, he told Archer News, but five were his and his alone, some of the unique 138 vulnerabilities reported during the 24 days the bug bounty was in action. Suddenly, bragging rights became $3,000 cash.
“That money will be used on a down payment for a house,” Clark said.
Down payment for a nation
Secretary of Defense Ash Carter announced today that the DoD is finding extra benefits as well, not just the 138 vulnerabilities—now fixed—but new relationships with outside researchers, a plan for the DoD to expand its bug bounty program, and a road map for other government agencies to start their own.
“We know that state-sponsored actors and black hat hackers want to challenge and exploit our networks,” Carter said at a briefing in Washington, D.C.
“What we didn’t fully appreciate before this pilot was how many white hat hackers there are who want to make a difference, who want to keep our people and our nation safer,” he added.
The stats
The hackers were let loose on five public-facing DoD sites, according to the Pentagon––defense.gov, dodlive.mil, dvidshub.net, myafn.net, and dimoc.mil.
The first report came in only 13 minutes after the program started, the DoD reported.
The most severe vulnerability found—and the one that earned the most money, was a SQL injection, HackerOne said on its website. A SQL injection is an attack where someone injects their own malicious database query, usually to tamper with or alter data.
Clark found some of the less severe bugs.
“XSS, CSRF, and some open redirects,” he said. “It was easy to find vulnerabilities that were low impact, similar to almost all sites online,” Clark explained. “I did not find any vulnerability that would be considered a high risk.”
The average reward was $588, HackerOne said, with the total of all bounties reaching $71,200.
“Friendly eyes”
Clark and the other security hackers want to try their hand at DoD defenses again. And they will get the chance, according to the Pentagon.
The program cost the DoD $150,000, far less than the $1 million the department would have spent hiring a private company to test its networks, Carter said. The department contracted with HackerOne to run the program and help figure out which bounty reports were unique and legitimate and which were duplicates.
“When it comes to information and technology, the defense establishment usually relies on a closed system,” he said. “But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix and the greater security we can provide.”
Allowing outside researchers to find bugs allows the DoD’s cybersecurity specialists more time to fix those vulnerabilities, he added. The next steps include, according to Carter:
- Creating a vulnerability disclosure process so security researchers can report vulnerabilities in DoD systems without fear of legal repercussions.
- Expanding the bug bounty program to other DoD areas.
- Laying out incentives for contractors to do things like bug bounty programs to review their technology before they deliver products to the DoD.
“This will help them make their code more secure from the start and before it’s installed on our system,” Carter said.
Who is out-innovating whom?
The Pentagon borrowed the bug bounty program concept from innovative technology companies, Carter said.
But the DoD took it even further, said HackerOne.
“The Pentagon took a unique and transparent approach in that they announced this program publicly,” said HackerOne CTO and co-founder Alex Rice. “The vast majority of these pilot programs begin behind closed doors.”
Most bug bounty programs start small with a handful of hackers and then organizations invite more people before going public, said HackerOne’s Lauren Koszarek.
“Nearly 85% of HackerOne customers start out this way and around 75% of our 500+ customers are still in private,” she said.
The public approach made a big difference in the program’s success, Rice told Archer News from a plane over the Atlantic, and he expects more companies to follow suit.
“It is unheard of to have 1,400 hackers register for a bug bounty pilot, especially one with eligibility requirements,” he said. “It is rare to see the government out-innovating their private counterparts,” he added.