In a press conference at
the Pentagon in Washington DC, on February 29, Defense Secretary Ash
Carter and Joint Chiefs Chairman Gen. Joseph Dunford announced the first
official government-sanctioned bug bounty program called "Hack the Pentagon."
The program is set to start in the upcoming month
and will only allow US citizens to participate, after going through a
thorough background check.
US officials said that, during the program's first
iteration, only a select few public-facing services would be subjected
to "hacking" attempts. Currently, there are no plans to open more
sensitive systems to the program, or at least not immediately.
Former Microsoft executive is in charge
The program is an initiative of a new division in
the US Department of Defense (DOD) called the Defense Digital Service
(DDS) and led by former Microsoft executive Chris Lynch.
Mr. Lynch said that, using his contacts in the tech
industry, he had already invited experienced coders and security
researchers from companies like Google and Shopify to participate,
affectionately calling their upcoming work a "tour of duty."
The bug bounty's program rules are still under work,
but DOD officials have confirmed that researchers that participate and
succeed in finding security flaws will receive monetary cash rewards.
Bug bounty programs are ubiquitous
During the past years, bug bounty programs have
become the norm for many tech companies. Bug bounties allow companies to
fix security flaws by having independent security researchers looking
and probing their services before hackers have a chance to.
Over the last years, almost every major tech company
has set up a bug bounty program, either on their own or through
companies like HackerOne or Bugcrowd.
Some of the latest companies to set up a bug bounty program include the likes of cyber-security firm Malwarebytes and the Tor Project.
In a statement made in the past month, Facebook
revealed that it paid bug bounty rewards of over $936,000 (€833,500)
last year and more than $4.3 million (€3.83 million) since the program
launched in 2011. Similarly, GitHub
announced it paid $95,300 (€85,400) to 58 security researchers for 102
security vulnerabilities discovered in the past two years.
At the start of the year, Bugcrowd even published a
guide for companies that wanted to set up a bug bounty of their own. The
guide included basic policies and even a recommended price chart according to which top-level firms should pay at least $15,000 for a critical security bug.
DOD backing doesn't mean the program will be a success
"This is a great step in the right direction to
addressing the critical need for cyber security skills in the US,"
Jonathan Cran, VP of Operations at Bugcrowd, told Softpedia. "We suspect that it's the first of many announcements from the Federal Government."
"This program will significantly further two of the
first strategic goals announced by DoD last year: (1) Build and maintain
ready forces and capabilities to conduct cyberspace operations, and (2)
Defend the DoD information network, secure DoD data, and mitigate risks
to DoD missions," Mr. Cran also noted.
But the DOD will also face some problems, as Mr.
Cran explains: "In general, researcher talent is more expensive in the
US, so limiting the program to US-based, background-checked researchers
may present challenges or simply require more incentives to participate.
33% of Bugcrowd's researchers are based in the US, and less than 10% of
those voluntarily submit to background checks."
The same opinion is also shared by the security
researchers themselves, represented by Pablo de la Riva Ferrezuelo,
Founder and CTO of buguroo,
a security company that provides ethical hacking and security auditing
services. "I believe that one of the biggest values of bug bounty
programs is the diversity of participant profiles and knowledge. If
there are established limits for a participant’s nationality and
citizenship, you will lose part of the exotic nature of the exercises
and limit the results," Mr. Ferrezuelo explained.
"The announcement leaves a lot of questions about
the scope and breadth of the program, and the research community looks
forward to more details," Mr. Cran added, leveraging on his experience
in managing Bugcrowd,
a crowdsourced bug bounty program that serves clients such as Tesla
Motors, Pinterest, Dropbox, Western Union, and many other more.
During the same press conference in which officials
announced the upcoming "Hack the Pentagon" program, Defense Secretary
Ash Carter and Joint Chiefs Chairman Gen. Joseph Dunford also revealed
that the US had started an intense series of cyber-attacks against ISIS in Mosul, Iraq.