Pentagon bounty program reveals 90 bugs
- By Sean Lyngaas
- May 17, 2016
Hackers found about 90 vulnerabilities in the Defense Department’s public websites as part of a highly touted bug bounty program, officials say. Those vulnerabilities included the ability to manipulate website content, "but nothing that was… earth-shattering" and worth shuttering the program over, according to Corey Harrison, a member of the department’s Defense Digital Service.
The two-week bounty program, which Defense Secretary Ash Carter announced in Silicon Valley in March, wrapped up last week and could be a springboard for similar programs across federal government.
Harrison told FCW that the bounty program is just a first step, and that Defense officials are considering expanding it to cover more DOD assets. He spoke May 17 at an event in Washington hosted by Dcode42, an organization that connects startups with possible government customers.
DOD has its own cadre of computer specialists that probe defense networks for flaws, but retaining them is challenging in the face of private firms that can pay double or triple their salaries.
Those cyber protection teams, unlike the private hackers, cover classified systems. "They're busy, and we get that," Harrison said of DOD's red teams. "So this was just an opportunity to…augment their efforts."
DDS is made up of about 15 entrepreneurs and tech hands who are trying to get the defense bureaucracy to apply a startup mentality to specific projects. A sign hanging in their office reads: "Get shit done," Harrison said.
He described an informal atmosphere in which the team is free to experiment with new tools such as the messaging application Slack. But his team's tinkering is in some respects a world apart from DOD programming. If the broader department were to use Slack, for example, lawyers would have to make sure the application complies with Freedom of Information Act regulations.
Even the name of the bug bounty program, Hack the Pentagon, was initially controversial. "They told us the name was a non-starter, which is awesome," Harrison said. "That's a great place to start."
Harrison described overwhelming interest in the program -- organizers expected a couple hundred hackers to register, but ultimately there were 1,400.
Corporate bug bounty programs can be lucrative for hackers. Yahoo for example, has paid security researchers $1.6 million since 2013 for bugs, including up to $15,000 per discovery, Christian Science Monitor’s Passcode reported.
That will be the maximum possible bug bounty in the Pentagon's pilot project, too, spokesman Mark Wright told FCW. An estimated $75,000 total is available to pay hackers participating in the DOD program, he said, and officials are still parsing the program data to determine allotted payments.
Yet some IT security experts have been critical of the DOD program. Robert Graham, a cybersecurity inventor and blogger, has asserted that DOD’s overtures to hackers have been undercut by the department’s discouragement of researchers from conducting their own scans of DOD assets.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.