Published on December 17th, 2016 | 1,230 views
How the DoD uses bug bounties to help secure the department’s websites
Secretary of Defense Ash Carter instigated the Hack the Pentagon bug bounty. The success of that program lead the DoD to launch the Hack the Army initiative and a Vulnerability Disclosure Policy
Ash Carter, the current Secretary of Defense, does not mind stepping outside the box when it comes to innovation.
Last year, Secretary Carter created the Defense Digital Service (DDS), which recruits talent from the public sector. Secretary Carter explains that those interested will embark on a tour of duty at the Department of Defense (DoD) to help solve some of the DoD’s most complex problems. One project completed by DDS personnel improved data sharing between the DoD and the Veterans Administration, allowing veterans to be served faster and more efficiently.
From the DDS site: “Our mission is to drive a giant leap forward in the way DoD builds and deploys technology and digital services. We work alongside our public servants and service members, empowering them to incorporate private sector best practices and talent to build a better future now.”
Bug bounties are popular in the private sector, but not that easy to implement in government circles, especially the DoD. However, Secretary Carter and the people at DDS put a package together and successfully launched Hack the Pentagon, a pilot program designed to identify and resolve security vulnerabilities within Defense Department websites through crowdsourcing.
Hack the Pentagon targeted five public-facing websites: defense.gov, dodlive.mil, dvidshub.net, myafn.net, and dimoc.mil, according to a DoD spokesman. The payouts ranged from about $100, all the way up to $15,000 to a participant who had multiple submissions, according to Lisa Wiswell, with the DDS.
“All told, more than 1,400 hackers were invited to participate in Hack the Pentagon and more than 250 submitted at least one vulnerability report,” writes Secretary Carter in this @SecDef/building-on-the-lessons-learned-from-hacking-the-pentagon-b5b58548b6a9#.rrr1dbada” target=”_blank” rel=”external nofollow” title=”Medium post” class=”wp-links-icon”>Medium post. “Of all the submissions we received, 138 were determined to be legitimate, unique, and eligible for a bounty.”
When it comes to bug bounties, one thing that worries researchers who participate in bug-bounty programs are the boundaries. White-hat hackers want to know how far they can go without getting into trouble. To remove that angst, Secretary Carter provided researchers with sufficient guidelines in November 2016 when he signed the DoD Vulnerability Disclosure Policy.
“This policy is the first of its kind for the Department,” @SecDef/building-on-the-lessons-learned-from-hacking-the-pentagon-b5b58548b6a9#.kj024m3u6″ target=”_blank” rel=”external nofollow” title=”writes Secretary Carter” class=”wp-links-icon”>writes Secretary Carter. “It provides left and right parameters to security researchers for testing for and disclosing vulnerabilities in DoD websites, and commits the Department to working openly and in good faith with researchers.”
The Vulnerability Disclosure Policy provides information on which websites can be investigated, how to submit a report, guidelines (e.g., Denial of Service testing is not allowed), what the researchers can expect from the people at DDS, and finally a legal section.
Besides clarifying rules for researchers, the Vulnerability Disclosure Policy provides a DoD guarantee, committing the agency to:
- Acknowledging receipt of a vulnerability report within three business days. The DoD’s security team will investigate the report and may contact the researcher for further information.
- Confirming the existence of the vulnerability to the researcher and keeping the researcher informed, as appropriate, as remediation of the vulnerability is underway.
- Recognizing researchers publicly for their contributions, if the researcher so desires. However, public disclosure of vulnerabilities will only be authorized at the express written consent of the DoD.
Because of the success of Hack the Pentagon, Secretary Carter and Secretary of the Army Eric Fanning announced on November 11, 2016 the launch of Hack the Army. This bug bounty focuses on Army websites, and in particular, those that support the recruiting mission.
What makes Hack the Army unique is that researchers can target dynamic websites, which by nature are more complicated and thus more vulnerable. “These sites are critical to the Army’s recruiting mission, and as a result must be hardened,” explains Secretary Carter.
Rather than reinvent the wheel, the people at DDS decided to use HackerOne to manage the DoD bug-bounty programs. The company already has a proven vulnerability coordination and bug-bounty platform used by many private-sector organizations.
HackerOne is a venture-backed company with headquarters in San Francisco. From the HackerOne site: “Created by security leaders from Facebook, Microsoft, and Google, HackerOne empowers companies to protect consumer data, trust, and loyalty by working with the global research community to surface relevant security issues.”
Granted, hacking websites—static or dynamic—for vulnerabilities may not be as significant as pen testing a network, but more than a few devastating data breaches began by leveraging a weakness in an internet-facing web server.
It will be interesting to see if the new administration will continue the DDS and Secretary Carter’s bug-bounty programs.