The Department of Defense (DoD) spends billions of dollars every year on information security. However, the DoD had not yet taken advantage of a “bug bounty” approach to identifying security vulnerabilities that has gained traction in the private sector.
In this “bug bounty” approach, private citizens and organizations are invited to probe specific services for potential security vulnerabilities, and are rewarded for qualifying vulnerabilities they uncover and responsibly disclose to the sponsoring organization. In this way, private citizens are provided a legal way to disclose potential vulnerabilities without fear of retaliation or prosecution, and are given an incentive for doing so. Private sector companies have successfully used this approach to improve the security of their systems. Despite this technique’s acceptance as an industry best practice, the government had not attempted such an initiative before.
Project Impact Summary
- In January 2016, the Digital Service team at DoD (Defense Digital Service) got approval for the Hack the Pentagon program, inviting private citizens to find and get rewarded for uncovering vulnerabilities in its information security system.
- This “bug bounty” approach mirrors that used by companies like Facebook and Twitter to catch more vulnerabilities and cost-effectively improve security.
- DoD contracted HackerOne – a well-known bug bounty platform startup with a strong reputation in the hacker community – to run the program.
- The digital services team, in conjunction with the existing vendors, worked in near real-time to fix security flaws as they were disclosed.
- The program led to the resolution of 138 previously unidentified vulnerabilities and cost $150,000. Contracting an outside firm to do a similar audit would have cost an estimated $1M and possibly still would not have provided the same security coverage.
- In June, the Secretary of Defense announced that DoD would run a persistent bug bounty program, and efforts are being made to share the practice with other agencies. There are also additional bug bounties the DoD will be running through the month of December.
On April 18, 2016, the DoD, supported by the USDS’ Defense Digital Service team, launched the first bug bounty in the history of the Federal Government. This innovative effort adopted from the private sector provided authorization to security researchers – “hackers” – to attempt to hack limited public-facing DoD systems and report vulnerabilities in exchange for financial rewards. This crowdsourced solution used the talent of over a thousand individuals, 250 of whom submitted at least one vulnerability report. Of these, 138 vulnerabilities were determined to be legitimate and unique. These had escaped notice from previous penetration tests DoD conducted. Using this information, DoD resolved all of the vulnerabilities.
While the program was underway, the Defense Digital Service team held daily calls with all agency stakeholders for everyone’s situational awareness in regards to bounty activities. There was also a pre-determined escalation process in place to follow in case of an immediate, critical need for defensive action against out-of-scope activity.
For the first challenge, the DoD contracted with HackerOne, an experienced administrator of bug bounty programs that performs services for companies such as Yahoo, Square, and Twitter. This strategy worked well for several reasons: HackerOne already had a strong reputation and relationship with the hacker community, they could quickly sub-contract a private background check firm, they receive and triage vulnerability reports, and they are able to allocate payouts for qualifying bounties. Using a third party platform also served to quell any concerns of hackers about providing personal information to the DoD as part of a larger effort to create a hacker database.
The cost of the program was $150,000. DoD estimates hiring an outside firm to perform a comparable security audit and vulnerability assessment would have cost more than $1 million.
In early June, Secretary of Defense Ash Carter announced his plan to launch a persistent DoD Bug Bounty program to continue to allow hackers to be paid for discovering security flaws in specific DoD websites, applications, binary code, networks, and systems. To make this possible, he had the Defense Digital Service take on three initiatives: run more bug bounty programs for other DoD components in 2016; develop a Vulnerability Disclosure Policy that would firmly and clearly express that hackers are acting legally when they surface DoD vulnerabilities; and provide guidance for the future acquisition of services like those provided by HackerOne.
To date, two new bug bounty programs are in the planning stages. The disclosure policy has been drafted, circulated, and is on track for release by the end of 2016. Acquisition guidance is in progress. The contract with HackerOne has been renewed, and is a model for future contracts not just at DoD, but government-wide. Altogether, these efforts will help the Defense Digital Service work with interagency teams to advise on implementing similar bug bounty programs. There will also be a “Government Only” day for agency stakeholders to gather and gain insight on Hack the Pentagon’s model of success.
|Engage the hacker community.
||Complete. 1,400 Registered Participants
|Identify and fix previously unknown security vulnerabilities.
||Complete. 138 vulnerability reports were determined to be legitimate, unique and actionable for remediation. DoD fixed all vulnerabilities identified.
|Resolve vulnerabilities at a cost lower than would be possible with other methods.
||Complete. The total contract cost was $150,000, with approximately half of this paid as bounties to participants. With 138 actionable vulnerability reports, that equates to less than $1,100 per vulnerability.
DoD estimates it would have cost $1M for an outside firm to perform a similar security audit.
- January 2016: Hack the Pentagon program approved.
- March 2016: Contract signed to start the program.
- April 2016: Challenge start date and bounty start date.
- May 2016: Bounty end dates.
The Process and Lessons Learned
Provide a method for outside individuals to responsibly disclose security vulnerabilities. Many private citizens have an interest in uncovering security issues. Private sector companies often provide such individuals a legal, secure way to disclose vulnerabilities without fear of retaliation or prosecution. Hack the Pentagon has shown that the “bug bounty” approach can work well for the government. Even if there is no active bug bounty program, providing researchers a way to provide responsible disclosure of vulnerabilities could yield results.
Ensure the agency is prepared to remediate vulnerabilities as they are discovered, in near real-time. DoD took the important step of putting a team on standby that could implement fixes to the vulnerabilities as they were disclosed. Being able to quickly address issues helped ensure no malicious activity could take place.
Involve stakeholders early. Running a new type of program in government can be complicated. The Defense Digital Service team worked closely with the DoD Office of General Counsel to resolve legal questions around bug bounty payments, participant background checks, and whether bounties could be paid to U.S. Government personnel.