Defense

DOD bullish on bug bounties

Shutterstock image.

The Defense Department announced results from its inaugural "Hack the Pentagon" bug bounty program June 17 and cast the push as a first-of-its-kind success that kicked off fast and drew widespread involvement.

The program, which ran from April 18 to May 12, generated 1,189 vulnerability reports from more than 1,400 participants.

Defense Secretary Ash Carter said 138 reports were found to be credible threats covering a wide range of vulnerabilities that DOD has since remediated in partnership with cybersecurity contractor HackerOne.

The program cost $150,000, half of which was paid to hackers.

"It's not a small sum," Carter said, "but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million."

DOD announced that the "Hack the Pentagon" spirit would live on through three new measures: a central DOD vulnerability disclosure process, more bug bounties at DOD components and the promotion of contractor transparency.

"In some circumstances, we will encourage contractors to make their technologies available for independent security reviews such as bug bounties before they deliver them to us," Carter said. "This will help them make their code more secure from the start and before it's installed on our system."

Meanwhile, DOD CIO Terry Halvorsen praised government efforts to tackle cybersecurity exposure by refreshing out-of-support technology systems.

At a June 17 AFCEA NOVA luncheon, Halvorsen said he supports the establishment of the proposed $3.1 billion IT modernization fund. He added that although the fund could prove useful for federal civilian agencies, DOD would likely remain self-reliant for modernization funding.

"I suspect the DOD will not be that big of a player in the innovation fund," Halvorsen said. "We actually do pretty well at tackling modernization for the most part now."

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.