Bug bounty programs and a vulnerability disclosure policy have helped the U.S. Department of Defense patch thousands of security holes in its systems.
Nearly one year after it announced its vulnerability disclosure policy, the Pentagon received 2,837 valid bug reports from roughly 650 white hat hackers located in 50 countries around the world, according to HackerOne, the platform used by the organization to host its projects.
More than 100 of the flaws reported to the Pentagon through its vulnerability disclosure program have been rated critical or high severity. Weaknesses, found in nearly 40 DoD components, include remote code execution, SQL injection, and authentication bypass issues.
A majority of the reports were submitted by researchers from the United States, followed by India, the U.K., Pakistan, Philippines, Egypt, Russia, France, Australia and Canada.
The DoD vulnerability disclosure program does not offer any monetary rewards - it only provides a channel for reporting security holes without the fear of potential legal consequences.
However, the Pentagon’s cybersecurity initiatives also include several bug bounty programs that offered monetary rewards. Researchers who took part in these challenges earned more than $300,000 for almost 500 flaws discovered in the organization’s public-facing systems. On the other hand, the government estimated that it saved millions of dollars by running these bug bounty programs.
The first initiative was Hack the Pentagon, which received 138 valid submissions and paid out roughly $75,000. Next were Hack the Army which paid out approximately $100,000 for 118 valid reports, and Hack the Air Force, which earned participants $130,000 for 207 valid reports.
Following the success of “Hack the Pentagon,” several bug bounty programs and related initiatives were announced by U.S. government organizations and lawmakers.
The General Services Administration (GSA) has launched a bug bounty program that offers rewards ranging between $300 and $5,000, and the Internal Revenue Service (IRS) announced a $2 million contract with security testing firm Synack for help in securing its online presence.
The Department of Justice (DoJ) has created a framework designed to help organizations develop formal vulnerability disclosure programs.
As for legislation, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 will require companies that provide Internet-connected devices to the government to have a vulnerability disclosure policy. Senators also announced the Hack Department of Homeland Security (DHS) Act, which aims to establish a bug bounty pilot program within the DHS.