U.S. Navy Petty Officer 1st Class Joel Melendez, Naval Network Warfare Command information systems analysis.

U.S. Navy Petty Officer 1st Class Joel Melendez, Naval Network Warfare Command information systems analysis. UNITED STATES AIR FORCE / MATTHEW LANCASTER

What the Pentagon’s Bug Bounty Program Won’t Fix

The defense secretary reveals a prize pool of $150,000, but will the program reveal the limits of Silicon Valley solutions to DOD problems?

Hackers who find holes in the Pentagon’s public-facing websites stand to earn a share of $150,000 — yet their prizes might be less than they could earn by fashioning exploits and selling them on the black market. Indeed, one result of the historic open-source “Hack the Pentagon” bug-finding program may be discovering the limitations of “Silicon Valley-esque” solutions to DOD’s biggest problems.  

The Pentagon isn’t asking people to go after sites or data on the Secret Internet Protocol Router Network, or SIPRNet, which carries secret information, or even the sensitive-but-unclassified Non-Secure Internet Protocol Router Network, or NIPRNet. Instead, it will focus on public-facing networks and websites, of which the Pentagon operates some 450. They don’t pose any sort of mission vulnerability but they can be targeted by people looking to disrupt access for users and embarrass the military.

The program will be led by the brand-new Defense Digital Service. Carter announced the program on March 2 and called it a model for future efforts. “This is a best practice. We should be doing this. We should be thinking of this throughout the entire development of any new technology or product or service that we offer within the DoD … The goal here is to create a repeatable new process that we can roll into a bunch of other things that are going on at the DoD.”

How repeatable is it? The success or failure of Hack the Pentagon program reveal the answer, in part. “The point of the pilot is to refine the process,” Katie Moussouris, chief policy officer at HackerOne, told reporters in Austin yesterday.

“This initiative will put the department’s cybersecurity to the test in an innovative but responsible way,” said Carter Thursday in a press release. “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”

The Pentagon has enlisted the aid of HackerOne, a company that organizes and manages bug bounty programs and vulnerability finding contests. (Interested? Here’s the registration page.) Hackerone will do the vetting and reporting of the bugs to the Defense Department. The hunt runs from April 18 to May 12. It’s closed off to people on the Treasury Department’s Specially Designated Nationals list, so if you’re a terrorist, drug-trafficker or enemy of the state, no need to apply. Interested participants will have to undergo a background check “to ensure taxpayer dollars are spent wisely,” according to the release.

Bounty payments will “depend on a number of factors, but will come from the $150,000 in funding for the program,” according to the release. It’s a small fraction of the Pentagon’s $35 billion IT budget.

How much is finding a major flaw in a Pentagon-run website actually worth? That depends. The cost for finding critical vulnerabilities in Web sites or IT infrastructures can vary tremendously, but if you can earn, say, $10,000 for finding a vulnerability, you might earn up to 10 times as much for building an actual exploit to sell on the grey market and the black market, according to research from Lillian Ablon, Martin C. Libicki, Andrea A. Golay, and the RAND Corporation.   

“Some estimates even go up to $1 million, but are often thought to be exaggerated. Zero-days’ ‘single-use’ nature also tributes to the high price,” they write.

Moussouris discussed the price discrepancy in her briefing, “The offense market pays for bugs at the highest prices because they’re paying for secrecy and they’re paying for longevity of the use of those vulnerabilities. They’re not paying to get them fixed. Whereas the defense market, if you think about bug bounties in that context and price setting, you’re paying as a reward and a thank you for coming forward with that vulnerability information.”

Does that mean that the Pentagon’s bug bounty program is playing it cheap? Not exactly, says Ablon.  

“Keep in mind that payment isn’t always the top priority for security researchers. Some do it for other reasons, like intellectual challenge, or recognition on a security bulletin (which is often then used for resume building),” she said in an email.

To that end, “I hacked the Pentagon” seems like a useful credential for a cybersecurity professional looking to score legit gigs, something Moussouris pointed out in her briefing.  

“The prices do vary in the defense market, which, bug bounties are part of the defense market. However, there are other incentives that are involved … a lot of the hackers, like myself, will choose to help and not just for money but for recognition. This is a historic program. It’s a historic program in the United States and it’s a historic program in the world. The prestige of being part of the very first program for the U.S. government is also a commodity in and of itself.”

The program’s most valuable contribution may not even be improving the security of some public-facing DOD Web sites so much as setting a new precedent for government-hacker relations. “What they really are doing is they’re experimenting with the process of crowdsourcing. And they’re experimenting with new ways to identify talent,” said Moussouris.

But the program in its current form also shows that trendy crowd-sourcing solutions like bug hunts won’t work for every Defense Department problem, putting “repeatability” in question, and revealing the program’s real value to be pr points. The Pentagon has bigger IT issues than its public-facing Web sites.

The Defense Department has tasked Undersecretary Frank Kendall’s office with evaluating every weapon in the Pentagon’s arsenal for cyber vulnerabilities. No word on when Kendall will be issuing a bug bounty program for the F-35.

“The DoD wouldn’t likely have a bug bounty for a mission-critical system to begin with – similar to how United [Airlines] limited their bug bounty to their website, and excluded aircraft. Just too risky to have a whole bunch of security researchers crawling around their systems," said Ablon.

The bounty on the Pentagon’s biggest bugs is likely more than the department can afford.

Kevin Baron contributed to this report from Austin, Texas.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.