Pentagon: We'll pay you if you can find a way to hack us
DoD puts money behind bug bounty program after reward-free pilot
The US Department of Defense has created a broad but short bug bounty program for reports of vulnerabilities in public-facing systems and applications.
The Hack US program kicked off on Independence Day and is scheduled to run though July 11, with reward totals reflected by the severity of the flaws.
The DoD has allocated up to $110,000 for the exploit hunt. Vulnerability spots can bring in $500 or more for high-severity flaws, and critical holes are worth at least $1,000 with as much as $5,000 set aside for particular awards, such as $3,000 for the best finding for *.army.mil.
The initiative is being run with bug bounty platform maker HackerOne, which teamed up with the DoD to operate a 12-month pilot program that ended in April. Hack US adds monetary rewards to the calculation.
"This expanded program is intended to give security researchers terms and conditions for conducting vulnerability discovery activities directed at publicly accessible Department of Defense (DoD) information systems, including web properties, and submitting discovered vulnerabilities to DoD," the department wrote in its program outline.
Bug bounty programs are becoming popular among private corporations as well as public agencies as another tool for shoring up security defenses at a time threats are growing in number and sophistication.
"Vulnerability disclosure and bug bounty programs can be effective cybersecurity tools that provide a good 'bang for the buck,'" Rick Holland, CISO and vice president of strategy at cybersecurity vendor Digital Shadows, tells The Register. "These programs extend defenders' vulnerability management strategy by complementing internal efforts. Companies can outsource the triage and management of vulnerability disclosure to a third party."
Holland adds that "technology companies that don't offer bug bounty programs are already behind the curve. Given that almost all companies are technology companies these days, most public-facing companies should have vulnerability disclosure or bug bounty programs."
- If you can find and fix this subtle Chromium bug that breaks some extensions, there's $8k waiting for you
- Crypto sleuths pin $100 million Harmony theft on Lazarus Group
- If you didn't store valuable data, ransomware would become impotent
- There are 24.6 billion pairs of credentials for sale on dark web
Such programs also give security researchers financial incentives to uncover vulnerabilities that threaten companies and agencies, according to Mike Parkin, senior technical engineer at risk remediation company Cyber Vulcan.
"With the sheer complexity of modern code and the myriad interactions between applications, it's vital to have more responsible eyes looking for flaws," Parkin tells The Register. "We know threat actors are doing it to find exploits they can leverage. Honest researchers should have some form of incentive as well."
In April, Microsoft upped the reward amounts in its bug bounty program by as much as 30 percent for ethical hackers who find "high-impact" bugs in its Office 365 products, while Meta in December 2021 widened its program to include scraping attacks on Facebook. Scraping attacks involve using automated tools to "scrape" information from such sources as users' profile pages.
On that note, the global bug bounty market is growing rapidly. According to analyst firm All the Research, the space will grow from $223.1 million in 2020 to more than $5.4 billion by 2027. Investments also are flowing into bug bounty vendors. HackerOne in January announced $49 million in Series E funding while European company Intigriti in April said it raised $22.3 million.
This isn't surprising. According to Edgescan, a vulnerability intelligence and detection company, 20.4 percent of vulnerabilities discovered in 2021 in web applications and network infrastructures combined were rated either high- or critical-risk. Bug bounty programs can help reduce the risk to companies and their partners and customers.
"Bug bounty programs are quite successful for both organizations and security researchers," Ray Kelly, Fellow at integrated software vendor Synopsys Software Integrity Group, tells The Register. "Effective bug bounty programs limit the impact of serious security vulnerabilities that could have easily left an organization's customer base at risk. Payouts for bug reports can sometimes exceed six figure sums, which may sound like a lot. However, the cost for an organization to remediate and recover from a zero-day vulnerability could total millions of dollars in lost revenue."
The DoD's pilot program that ended in April – the Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) – launched with 14 voluntary participating companies and 141 assets under the microscope, but interest in the program convinced the agency to expand it to include 41 companies and 348 assets. In all, 288 HackerOne researchers submitted 1,015 reports, of which 401 were deemed actionable for remediation.
The new program is being run by the Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services and DoD Cyber Crime Center (DC3) in conjunction with HackerOne. Of the total reward money, $75,000 will be doled out on a first-submitted, first-awarded basis, according to the DoD. The other $35,000 is tagged for special vulnerability awards, such as Best Finding in the Hack US Event and best findings in domains in such branches as the Army, Navy, Air Force, Marines, Space Force and Coast Guard.
Bugcrowd founder and CTO Casey Ellis tells us that DC3 made a smart move to upgrade its vulnerability disclosure program to include a paid bug bounty program.
"There's a ton of technology already deployed, our rate of deploying new technology only increases and accelerates, and the adversaries we face continue to get better skilled, more aggressive, and more diverse." Ellis explains. "There are certainly security technology solutions which continue to be invented and used, but at the end of the day, cybersecurity is a fundamentally human problem, therefore humans will also, and most likely increasingly, have a major role to play in defending the internet." ®