What the Pentagon’s Bug Bounty Program Won’t Fix

Hackers who find holes in the Pentagon’s public-facing websites stand to earn a share of $150,000 — yet their prizes might be less than they could earn by fashioning exploits and selling them on the black market. Indeed, one result of the historic open-source “Hack the Pentagon” bug-finding program may be discovering the limitations of “Silicon Valley-esque” solutions to DOD’s biggest problems.  

The Pentagon isn’t asking people to go after sites or data on the Secret Internet Protocol Router Network, or SIPRNet, which carries secret information, or even the sensitive-but-unclassified Non-Secure Internet Protocol Router Network, or NIPRNet. Instead, it will focus on public-facing networks and websites, of which the Pentagon operates some 450. They don’t pose any sort of mission vulnerability but they can be targeted by people looking to disrupt access for users and embarrass the military.

The program will be led by the brand-new Defense Digital Service. Carter announced the program on March 2 and called it a model for future efforts. “This is a best practice. We should be doing this. We should be thinking of this throughout the entire development of any new technology or product or service that we offer within the DoD … The goal here is to create a repeatable new process that we can roll into a bunch of other things that are going on at the DoD.”

How repeatable is it? The success or failure of Hack the Pentagon program reveal the answer, in part. “The point of the pilot is to refine the process,” Katie Moussouris, chief policy officer at HackerOne, told reporters in Austin yesterday.

“This initiative will put the department’s cybersecurity to the test in an innovative but responsible way,” said Carter Thursday in a press release. “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”

The Pentagon has enlisted the aid of HackerOne, a company that organizes and manages bug bounty programs and vulnerability finding contests. (Interested? Here’s the registration page.) Hackerone will do the vetting and reporting of the bugs to the Defense Department. The hunt runs from April 18 to May 12. It’s closed off to people on the Treasury Department’s Specially Designated Nationals list, so if you’re a terrorist, drug-trafficker or enemy of the state, no need to apply. Interested participants will have to undergo a background check “to ensure taxpayer dollars are spent wisely,” according to the release.

Bounty payments will “depend on a number of factors, but will come from the $150,000 in funding for the program,” according to the release. It’s a small fraction of the Pentagon’s $35 billion IT budget.

How much is finding a major flaw in a Pentagon-run website actually worth? That depends. The cost for finding critical vulnerabilities in Web sites or IT infrastructures can vary tremendously, but if you can earn, say, $10,000 for finding a vulnerability, you might earn up to 10 times as much for building an actual exploit to sell on the grey market and the black market, according to research from Lillian Ablon, Martin C. Libicki, Andrea A. Golay, and the RAND Corporation.   

“Some estimates even go up to $1 million, but are often thought to be exaggerated. Zero-days’ ‘single-use’ nature also tributes to the high price,” they write.

Moussouris discussed the price discrepancy in her briefing, “The offense market pays for bugs at the highest prices because they’re paying for secrecy and they’re paying for longevity of the use of those vulnerabilities. They’re not paying to get them fixed. Whereas the defense market, if you think about bug bounties in that context and price setting, you’re paying as a reward and a thank you for coming forward with that vulnerability information.”

Does that mean that the Pentagon’s bug bounty program is playing it cheap? Not exactly, says Ablon.  

“Keep in mind that payment isn’t always the top priority for security researchers. Some do it for other reasons, like intellectual challenge, or recognition on a security bulletin (which is often then used for resume building),” she said in an email.

To that end, “I hacked the Pentagon” seems like a useful credential for a cybersecurity professional looking to score legit gigs, something Moussouris pointed out in her briefing.  

“The prices do vary in the defense market, which, bug bounties are part of the defense market. However, there are other incentives that are involved … a lot of the hackers, like myself, will choose to help and not just for money but for recognition. This is a historic program. It’s a historic program in the United States and it’s a historic program in the world. The prestige of being part of the very first program for the U.S. government is also a commodity in and of itself.”

The program’s most valuable contribution may not even be improving the security of some public-facing DOD Web sites so much as setting a new precedent for government-hacker relations. “What they really are doing is they’re experimenting with the process of crowdsourcing. And they’re experimenting with new ways to identify talent,” said Moussouris.

But the program in its current form also shows that trendy crowd-sourcing solutions like bug hunts won’t work for every Defense Department problem, putting “repeatability” in question, and revealing the program’s real value to be pr points. The Pentagon has bigger IT issues than its public-facing Web sites.

The Defense Department has tasked Undersecretary Frank Kendall’s office with evaluating every weapon in the Pentagon’s arsenal for cyber vulnerabilities. No word on when Kendall will be issuing a bug bounty program for the F-35.

“The DoD wouldn’t likely have a bug bounty for a mission-critical system to begin with – similar to how United [Airlines] limited their bug bounty to their website, and excluded aircraft. Just too risky to have a whole bunch of security researchers crawling around their systems," said Ablon.

The bounty on the Pentagon’s biggest bugs is likely more than the department can afford.

Kevin Baron contributed to this report from Austin, Texas.