The Department of Defense is going to be expanding how it treats vulnerability disclosures as a result of the success of Hack the Pentagon.
Hack the planet? Tough. Hack the Pentagon? Easier, but still fairly tough. Yet, that didn’t stop more than 250 hackers from taking part in the Department of Defense’s first-ever bug bounty program.
The pilot, which ran from April 18 to May 12—less than a month—netted 138 vulnerabilities that the Defense Department determined to be “legitimate, unique and eligible for a bounty.”
Though the bug bounty program ended up costing the federal government around $150,000, officials believe it was money well spent.
“It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” said Ash Carter, Secretary of Defense, as reported by the DoD.
The Department of Defense seems pleased by the results, as it also announced that it’s now planning to expand its bug bounty program and introduce other policies designed to help bolster DoD security.
That includes the creation of a new vulnerability disclosure policy that will allow anyone to submit information about potential vulnerabilities in DoD systems, networks, applications, or websites.
“Next we will expand bug bounty programs to other DoD Components, in particular the Services, by developing a sustainable DoD-wide contract vehicle. Lastly, we’ll include incentives in our acquisition policies and guidance so that contractors practice greater transparency and open their own systems for testing – especially DoD source code. With these efforts, we will capitalize on Hack the Pentagon’s success and continue to evolve the way we secure DoD networks, systems, and information,” reads an announcement from the Department of Defense.
The initial Hack the Pentagon program only focused on five publicly facing websites: defense.gov, dodlive.mil, dvidshub.net, myafn.net, and dimoc.mil.
A total of 1,189 vulnerability reports were generated during the bug bounty period, and 138 were verified as critical vulnerabilities that the Department of Defense “quickly worked to remediate.”
Though the Department of Defense didn’t disclose the exact payouts—and who got what—it did note that the minimum payout for a discovered vulnerability was $100. One participant made around $15,000 after finding multiple vulnerabilities across the DoD’s sites.