DOD leads the way in crowdsourced security

To strengthen the defenses and resilience of IT systems, organizations increasingly are turning to ethical hackers and running bug bounty programs that offer rewards for uncovered vulnerabilities.

While security researchers can earn big payouts from the likes of Google, Microsoft and other tech companies, they've also identified plenty of issues with public-sector websites, and government officials have seen the value of cybersecurity testing that pays only for results.

Government use of bug-bounty programs has increased at a year-over-year rate of  125, according to a new report from HackerOne, the company that runs the platform for hosting bug bounty competitions.  That makes government the leading industry sector for adoption of crowdsourced security.

The U.S. government's first major bug bounty program, Hack the Pentagon, was announced by the Defense Digital Service in April 2016, and offered vetted ethical hackers bounties for identifying and resolving security vulnerabilities in five of Defense Department's  public-facing websites.  For that initial challenge, more than 1,400 hackers signed up, and the first bug was reported just 13 minutes after the contest began. In all, 138 legitimate and unique vulnerabilities were found, and $75,000 in total bounty rewards were paid out.

Since then, DOD has run four more bug bounty challenges: Hack the Army, Hack the Air Force, Hack the Air Force 2.0, and Hack the Defense Travel System. To date, 5,000 vulnerabilities have been received in U.S. government systems and, according to a May 16 tweet from the Defense Digital Service, security researchers have earned over $400,000.

The program has expanded beyond the Pentagon.  The General Service Administration's 18F launched a bug bounty program for the Technology Transformation Service, covering vulnerabilities found in Federalist, data.gov, cloud.gov, login.gov and a handful of other websites.  Legislation has been proposed for similar programs for the Department of Homeland Security and the State Department as well as a bug-bounty program for finding vulnerabilities in election systems.

HackerOne's 2018 Hacker-Powered Security Report examined data from 78,275 security vulnerability reports collected over 1,000 bug bounty and vulnerability disclosure programs it runs around the world.

Across 11 industry sectors, the top two frequently identified vulnerabilities are related to cross-site scripting and information disclosure. For government programs, cryptographic issues tie for second.  Other top issues found in government systems include violations of secure design principles, open redirect problems and SQL injection.

And while finding vulnerabilities is important, resolving them quickly is imperative.  The fastest report-to-resolution is under 20 days for the consumer goods, financial services and health care industries.  The government sector takes 68 days from identification to resolution, though it pays bounties relatively quickly, in 18 days, even before issues are resolved.

In spite of success seen by government and tech industries, the vast majority of the 2017 Forbes Global 2000 companies do not have a policy for third-party vulnerability disclosures, HackerOne said, making security researchers sometimes reluctant to disclose vulnerabilities for fear of prosecution. 

At a February hearing of a Senate panel on data security and bug-bounty programs, HackerOne CEO Marten Mickos called for reforms to the Computer Fraud and Abuse Act, which criminalizes unauthorized computer access without making specific allowances for some security research activities.

"Individuals that act in good faith to identify and report potential vulnerabilities should not be legally exposed," said Mickos, who criticized the CFAA for having "vague wording that has not kept pace with the proliferation of the internet."

Both DOD and GSA have developed such vulnerability disclosure policies, and the Department of Justice issued a framework in July 2017 to help agencies design their own policies.