You may remember a while back when the Pentagon launched a bug bounty program. Entitled ‘Hack the Pentagon’, the event took specially selected cybersecurity experts and allowed them to find vulnerabilites in select areas of the Department of Defense’s network. Press releases from the government showed that Hack the Pentagon was ultimately a success and the intelligence community was open to more bug bounties. In light of this, it makes sense that the Department of Defense recently contracted HackerOne and Synack to create a larger bug bounty program.
As reported by Infosecurity Magazine, the DoD is using $7 million to be spread over 14 different hacking challenges. With the previous event yielding 138 vulnerabilities, the size of the vulnerabilities found should increase as there will be “hundreds” of security professionals working this new bug bounty. It should be noted, however, that Hack the Pentagon employed 1,400 vetted hackers, so it will be interesting to see if in fact this program will be more successful.
The higher monetary values will likely draw far more individuals to this particular bug bounty. The key for the DoD is honing in on the best experts in the private InfoSec world, of which there are many, to work on this program. As Mark Wright, spokesperson for Office of the Secretary of Defense, stated, “partnering with these leading crowdsourced security companies, we can take a much more innovative, diverse, scalable, and effective approach to better protect and defend our digital assets.”
Obviously, if you’ve been reading my articles, you know I am personally wary of the private security community getting a little close to the DoD. I can only hope that the cause of cybersecurity for all is advanced as a result of bug bounty programs. The monetary incentive is high, so possibly the most successful “bug finders” can put the cash towards cybersecurity research.