During a one-week Department of Defense (DoD) “bug bounty” challenge in July, ethical hackers submitted 648 reports, including 349 actionable events. The challenge, which was launched by the Chief Digital and Artificial Intelligence Office (CDAO) Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3), was an extension of DoD’s vulnerability disclosure program (VDP) running on the HackerOne bug bounty platform.
The DoD announced earlier this year that it was offering a total bounty pool of $110,000, representing $75,000 in rewards for submitted vulnerability reports and $35,000 for bonus awards. The entire bounty pool was exhausted, while a total of 267 “white hat” or ethical hackers participated in the challenge, and 139 were new to the VDP.
Many of the reports submitted could have been critical had they not been identified and remediated during the bug bounty challenge, the DC3 announced. The findings from the recent bug bounty challenge will also be used to address the cause of the security issues, and to prevent their malicious exploitation.
“With Hack US, The U.S. Department of Defense has wisely tapped into one of the best cybersecurity resources there is – the informal ecosystem of white hat hackers who are constantly probing for and seeking out vulnerabilities in organizations, with the goal of reporting them for mitigation before a threat actor finds and exploits them,” explained Chloé Messdaghi, chief impact officer (CIO) at security research firm Cybrary.
“This talented global community of hackers has generally strived to comply with organizational vulnerability disclosure policies wherever such policies actually exist,” Messdaghi told ClearanceJobs.
She added that the hacker community has been finding and reporting vulnerabilities for a very long time, and has been putting themselves at risk when helping the government and major organizations.
“The DOD recognizes that even its security teams with unquestionably talented and strong red teamers must work primarily in defensive modes, and appropriately so,” noted Messdaghi.
A key advantage of these “bug bounty” programs is that it utilizes “outside thinkers,” who may look for vulnerabilities differently than those who rely on the systems on a daily base. This makes VDPs invaluable.
“It arms the independent cybersecurity research community to help find vulnerabilities before would-be attackers do,” said Messdaghi. “A good VDP is the invisible layer that all too many private and public security programs are missing. The DoD is leading by example here.”
Hack US is also just one example that highlights the value of VDPs where ethical hackers can legally explore an organization’s vulnerabilities and defenses – within the organization’s defined scope – and report on potential security issues. Bug bounties have even proven to be beneficial across the public and private sectors, and the DoD’s effort to pursue ongoing improvement has been seen as a move in the right direction.
“The bounties have grown rapidly in popularity over the last decade or so, and organizations have seen positive results by dedicating swaths of researchers to safely test and uncover vulnerabilities or exposed data in their product in the hope of enhancing security posture,” Melissa Bischoping, director and endpoint security research specialist at Tanium, told ClearanceJobs.
“A huge plus that a bug bounty offers is a fresh set of eyes that can catch anomalies that internal scanning, testing, and auditing processes sometimes miss due to routine, fatigue, etc.,” Bischoping continued.
Cost Effective Solution
For government agencies, these VDPs should also be seen as highly cost-effective. For what is essentially a year’s salary for a highly-skilled and experienced cybersecurity professional, Hack US was able to gain knowledge from more than 250 “experts” who stepped up to expose the vulnerabilities in the DoD’s networks.
“In this case, the DoD offered a total pool of $110,000, a drop in the bucket when viewed through the context of the types of data the program is seeking to defend against threat actors,” said Messdaghi. “And the results really paid off: 267 ethical hackers participated in the DoD’s Hack US event and submitted 648 reports, including 349 that required action.”
However, not every bug bounty program will yield the same results. A successful VDP needs to be more than offering cash rewards to hackers.
“It’s worth remembering that every good VDP must start with three important promises: that the organization’s committed to securing its data, is willing to be a party to a productive (and non-punitive) alliance with hackers, and if so alerted to a vulnerability, they will act to quickly address it,” Messdaghi continued.
She further suggested that VDPs are central to such security-minded entities as the DoD, while DHS Secretary Alejandro Myorkas and CISA Director Jen Easterly’s team can and should advocate for widening their acceptance and usage – in both the public and private sectors.
Understanding the Cons of Bug Bounties
There are a few downsides with these programs, at least if a VDP isn’t executed properly, warn experts. Improper planning can make the programs essentially useless, and even with ethical hackers, actionable events need to be addressed quickly.
“If inadequately staffed and prepared, bug bounties can overwhelm teams as issues are identified and need to be fixed,” explained Bischoping.
“Most importantly, bug bounties can potentially leave an organization more vulnerable if not conducted properly,” she added. “Even with an NDA in place, due to the sensitive nature of the information gathered, it is essential to work only with trustworthy, thoroughly vetted facilitators and researchers.”
Understanding the Results
With the recent Hack US concluded, it is still unlikely the general public will ever know the specifics of what was found in the recent challenge. Yet, the event facilitator HackerOne disclosed that the top three vulnerability types found were information disclosure, improper access control, and SQL injections, which are consistently among the Open Web Application Security Project (OWASP) list of “Top 10 Web Application Security Risks.”
It certainly seems that the DoD was able to get its money’s worth from the summer’s VDP.
“It’s great to see that the DoD acknowledges and partners with talented, everyday heroes who are working hard to find bugs, close vulnerabilities, and generally protect and serve: the good-faith hacker community,” said Messdaghi.