The Pentagon’s First Bug Bounty Exceeded All Expectations

When I created the Defense Digital Service (DDS) earlier this year, I charged its Director Chris Lynch with bringing in talent from America’s most innovative sectors for a tour of duty to help us solve some of our most complex problems. In just a short time, they’ve helped us drill tunnels through the walls that too often separate the Pentagon from America’s wonderful and innovative technology base, one of our nation’s greatest sources of strength. The team of technologists at DDS has helped address some really important problems, like improving data sharing between DoD and the VA, to make sure our veterans get access to their benefits. Over the past several months DDS has worked closely with Defense Media Activity (DMA) — and several other dedicated components within the Pentagon — to achieve yet another important milestone, our first successful bug bounty, Hack the Pentagon.

Bug bounties are a widespread best practice in the outside world — and the concept is relatively simple. A company offers incentives to outside researchers — what most of us would call white-hat hackers — to test the security of its networks and applications, and report what they find, so the company can fix the vulnerabilities.

It’s a challenge for the white-hat hackers, which they like, and it’s a whole lot better for the company than learning the hard way, after the fact. And that is, that a black-hat hacker or a nation- state has exploited vulnerabilities to steal data or destroy data, or accomplish some other nefarious purpose.

While companies like Microsoft, Google, and Facebook have used this approach to crowd-source security for several years, no federal agency had ever offered a bug bounty. So we asked the question: why couldn’t we use this tool to complement the terrific work of our own in-house cybersecurity experts?

We face a competitive world — one that requires us at the Pentagon to think outside our five-sided box, and constantly challenge ourselves to do things differently. Through this pilot, we’ve found a cost-effective way to support what our dedicated people do every day to defend our systems and networks — and we’ve done it securely and effectively.

And the results exceeded our expectations.

All told, more than 1,400 hackers were invited to participate in Hack the Pentagon and more than 250 submitted at least one vulnerability report. Of all the submissions we received, 138 were determined to be legitimate, unique, and eligible for a bounty.

As these reports arrived, we worked to remediate them in real time with support from a contractor, HackerOne. Today, a little more than a month after the pilot finished, we’ve remediated each and every one of these vulnerabilities found.

In total now, this pilot cost $150,000. It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million.

Also, by allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend more time fixing them than finding them. The pilot showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly. My focus on making our operations more efficient and cost-effective at DOD is one of the reasons why we’re investing so aggressively in innovation, from innovative people, to innovative practices, to innovative technologies. Through Hack the Pentagon, we’ve combined all three of these elements — and to considerable success

Beyond the security fixes we’ve made, we’ve built stronger bridges to innovative citizens who want to make a difference to our defense mission. Individuals from across 44 states submitted reports. You can see a full list of the successful hackers on HackerOne’s Hall of Fame but I will tell you about two of them: Craig Arendt and David Dworken. Craig is a prolific security researcher who helped us identify a number of vulnerabilities, and David is a high school student who lives just down the road from the Pentagon.

For them and many others, this was about more than a reward or bounty. It was about the opportunity to make our country safer.

Over the course of my own career, I’ve found that people in the most innovative parts of our economy and society are there because they want to do things that truly matter. They want to spend their energies on issues of consequence. There’s a sense of responsibility that comes with knowledge and technical expertise. That’s a lesson that was imparted to me by many of my mentors, and a lesson that many technologists and innovators appreciate today. While many of our nation’s innovators are clearly motivated by this spirit, too often they lack avenues to channel it. For instance, when it comes to the security of DoD networks and systems, there is no reporting mechanism or pathway for them to tell us where we might be vulnerable — and sometimes there are legal hurdles.

Next Steps

The Hack the Pentagon Pilot was so successful, we want to ensure that we continue to learn from these kinds of exercises. That’s why as a result of Hack the Pentagon, we are going to create a central point of contact for researchers and technologists to safely and securely submit information about DoD security gaps. The creation of a policy for vulnerability disclosure is long overdue and I’m committed to developing one for the Department in the coming months.

Second, we’re working to expand bug bounty programs to other parts of the Department, so that the security benefits DMA has worked to achieve through this pilot can be replicated in other parts of our enterprise. I am directing DoD Components to review where bug bounties can be used as a valuable tool in their own security toolkit.

Third, we will include incentives in our acquisition guidance and policies so that contractors can take advantage of innovative approaches to cybersecurity testing. For example, in some circumstances we will encourage contractors to make their technologies available for independent security reviews through mechanisms such as bug bounties — which will give them one more reason to make their code more secure from the start. By offering U.S. researchers an avenue — albeit with important safeguards — for reporting vulnerabilities and gaps, we’ve done more with this pilot than make our networks more secure for the short-term. We’ve built relationships and trust for the long-term. We’ve provided a roadmap for other government departments and agencies to crowd-source their own security.

When it comes to information and technology, the Defense establishment usually relies on closed systems. “Security through obscurity” is often our default position. For many of our networks and applications, there’s good reason for that. But the more friendly eyes we have on some of our systems, networks, websites, and applications, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide our warfighters.

We know that state-sponsored actors and black hat hackers want to challenge and exploit our networks. What we didn’t fully appreciate before this pilot was how many white hat hackers there are who want to make a difference and who want to help keep our people and nation safer. Thank you to everyone who participated in this program to make us stronger and more resilient.