Why bug bounty programs are worth the risk

Shutterstock image. 

The bug bounty programs the Defense Department launched in 2015 with the agency's "Hack the Pentagon" pilot have found more vulnerabilities in shorter time frame and reduced testing costs dramatically, according to a digital service expert at the DOD.

In a presentation at a March 30 meeting of the Information Security and Privacy Advisory Board, the Pentagon's Hunter  Price said the programs have found hundreds of vulnerabilities at a fraction of the cost of commercial penetration testing.

During the "Hack the Army" bounty program, concluded last November, the DOD paid out $150,000 in bounties to about 1,300 hackers who probed five public-facing DOD websites, Price said.

Contractors had tested the websites previously and found 10 low-risk vulnerabilities. But bug bounty hunters, he said, found the first vulnerability within five minutes and ultimately found 165 problems, some "high risk."

That result, he said, was "1,000 percent" return on investment, he said.

Getting the best hackers to participate can mean casting a wide net that can include hackers that have some legal baggage, he said.

Although participants in the 2015 Hack the Army and Hack the Pentagon pilots underwent background checks, the DOD has had to accept some risk.

Intense scrutiny, he said, "can scare off talent" who may be able to find more insidious system weaknesses, Price said. DOD weeded out some hackers from the programs "who we didn't want to pay for PR reasons," he said.

The General Services Administration is more welcoming to bug bounty participants -- and more lenient when it comes to background checks for participants, said Eric Mill, senior advisor for the Technology Transformation Service.

"We want to get a variety of people. I have no problem paying a teenager from Russia, if they can improve our system," Mill said.

The GSA, Mill said, isn't developing its bug bounty program for other agencies, only for itself. The scope of the program, Mill told FCW, could cover bigger, critical GSA services such as and the shared service identity management tool

Although GSA’s bug bounty program  won’t cover other federal agencies, some ISPAB board members wondered how it could be adapted as a shared service for all of government.

"It's possible," said Mill, but any future bug bounty shared service would have to "understand how decentralized" agencies can be and one-size-fits-all approaches could complicate such an effort.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group