Cybersecurity

Pentagon bounty program reveals 90 bugs

Shutterstock image.

Hackers found about 90 vulnerabilities in the Defense Department’s public websites as part of a highly touted bug bounty program, officials say. Those vulnerabilities included the ability to manipulate website content, "but nothing that was… earth-shattering" and worth shuttering the program over, according to Corey Harrison, a member of the department’s Defense Digital Service.

The two-week bounty program, which Defense Secretary Ash Carter announced in Silicon Valley in March, wrapped up last week and could be a springboard for similar programs across federal government.

Harrison told FCW that the bounty program is just a first step, and that Defense officials are considering expanding it to cover more DOD assets. He spoke May 17 at an event in Washington hosted by Dcode42, an organization that connects startups with possible government customers.

DOD has its own cadre of computer specialists that probe defense networks for flaws, but retaining them is challenging in the face of private firms that can pay double or triple their salaries.

Those cyber protection teams, unlike the private hackers, cover classified systems. "They're busy, and we get that," Harrison said of DOD's red teams. "So this was just an opportunity to…augment their efforts."

DDS is made up of about 15 entrepreneurs and tech hands who are trying to get the defense bureaucracy to apply a startup mentality to specific projects. A sign hanging in their office reads: "Get shit done," Harrison said.

He described an informal atmosphere in which the team is free to experiment with new tools such as the messaging application Slack. But his team's tinkering is in some respects a world apart from DOD programming. If the broader department were to use Slack, for example, lawyers would have to make sure the application complies with Freedom of Information Act regulations.

Even the name of the bug bounty program, Hack the Pentagon, was initially controversial. "They told us the name was a non-starter, which is awesome," Harrison said. "That's a great place to start."

Harrison described overwhelming interest in the program -- organizers expected a couple hundred hackers to register, but ultimately there were 1,400.

Corporate bug bounty programs can be lucrative for hackers. Yahoo for example, has paid security researchers $1.6 million since 2013 for bugs, including up to $15,000 per discovery, Christian Science Monitor’s Passcode reported.

That will be the maximum possible bug bounty in the Pentagon's pilot project, too, spokesman Mark Wright told FCW.  An estimated $75,000 total is available to pay hackers participating in the DOD program, he said, and officials are still parsing the program data to determine allotted payments.

Yet some IT security experts have been critical of the DOD program. Robert Graham, a cybersecurity inventor and blogger, has asserted that DOD’s overtures to hackers have been undercut by the department’s discouragement of researchers from conducting their own scans of DOD assets.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.