'Hack the Pentagon' Highlights Rise in Popularity of Bug Bounty Programs
Cold hard cash is a strong motivator for many people and the Department of Defense is hoping that hackers are no exception. In March, DoD officials announced the a bug bounty program, modeled after those popular in the private sector, that will launch one week from today. Initial press materials regarding the program were short on details and long on patriotic hype, but this first-of-its-kind program in the public sector seeks to take an approach that has already proven successful in private industry.
Whether organizations like it or not, hackers will probe their systems seeking out weaknesses in servers and applications that may be exploited for a variety of reasons. Some of these individuals merely seek the intellectual challenge of identifying vulnerabilities and then leverage their discoveries to gain notoriety within the hacking community.
Bug bounty programs seek to redirect these individuals to disclose their discoveries directly to whatever entity they have successfully exploited, rather than to the general public, typically in exchange for some form of compensation. The goal is to harness the intellectual horsepower and work ethic of hackers and use it in the service of improving security.
Exploring Bug Bounty Programs
Bug bounty programs aren't new on the scene. In fact, Netscape Communications launched the first bug bounty program in 1995 with a $50,000 pool of funding designed to help identify vulnerabilities in the newly launched Netscape Navigator 2.0.
The Netscape program was quite successful and became the model for many similar programs through the Internet industry over the past decade. Other programs came and went over the two decades since Netscape launched their program but bug bounties gained particular momentum over the past few years.
Facebook offers one of the industry's most popular bug bounty programs. Launched in 2011, the program has received more than 2,400 valid submissions and has awarded more than $4.3 million in compensation to more than 800 researchers located around the world. Those researchers received an average payout of $1,780 for a bug submission, and the highest number of bounty payouts went to security researchers in India, Egypt and Trinidad and Tobago.
Reports submitted in the past year disclosed critical cross-site request forgery (CSRF) vulnerabilities in Facebook.com and Facebook's Messenger app, and also discovered a way to abuse the Facebook graph search algorithm to discover confidential information.
Google also offers several different vulnerability reward programs covering its own web properties, the Android operating system, the Chrome web browser and a variety of open-source packages. Google's application security site offers detailed requirements for submissions and includes a matrix of rewards.
The schedule of potential payments ranges from $100 for more trivial vulnerabilities up to a whopping $200,000 reward for the successful compromise of a Chromebook running in guest mode. Google began this program in 2010 and promotes that it paid out more than $2 million to security researchers.
Facebook and Google aren't alone in the bug bounty world, and bug bounty programs aren't limited to Internet-based businesses. Many other technology firms host bug bounty programs that seek to apply the wisdom of the crowd to the discovery of new vulnerabilities. Uber, United Airlines and General Motors all recently joined the bug bounty bandwagon. The Department of Defense is, however, the first federal government vulnerability disclosure program.
Inside the DoD Program
What prompted the DoD to launch a bug bounty? Secretary of Defense Ash Carter said in a media release that the new scheme represents innovative thinking. "I am always challenging our people to think outside the five-sided box that is the Pentagon," Carter said. "Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security."
The soon-to-launch "Hack the Pentagon" program does share some similarities with private sector programs. It focuses on public-facing websites and promises security researchers recognition for their accomplishments.
Unlike other similar programs, Hack the Pentagon does come with a decidedly military twist. The program is not a free-for-all that invites all comers to test security. Instead, hackers must agree to undergo a background check and be pre-cleared to test specifically assigned websites.
That approach is likely to stifle participation by a hacking community that is often resistant to government regulation — to say nothing of the fact that many hackers may have a background they would prefer to keep shrouded in mystery. Time will tell the degree of success achieved by this program, but it does mark a new direction for federal web security.
Bug Bounty Risks and Rewards
The high profile nature of bug bounty programs leaves many organizations asking whether they should consider offering similar programs to get some fairly inexpensive security consulting assistance from the large hacking community. One school of thought here points to the potential danger in announcing to the world "Bring it on, hackers – we're secure!"
This is counterbalanced by the opinion that hackers are going to test your security controls no matter what. That being the case, companies and organizations are better off attempting to win hackers over and harness their abilities to improve security, than finding out about vulnerabilities only after they've been exploited.
Organizations considering sponsoring a bug bounty program should first conduct a thorough review of their own security controls using internal resources, and fix any obvious vulnerabilities. You want your program to be challenging and make it difficult for hackers seeking to gain access to your systems.
The number of controls potential intruders must break through will vary based on the type of systems you're exposing to the Internet, as well as the nature of the vulnerability. Just remember that any good bug bounty program should run on top of a solid information security program. Only organizations that are fairly confident of their security controls should consider putting them to the test in this manner.
Bug bounty programs continue to rise in popularity, and it's clear they are poised to become an enduring part of the security landscape. Security researchers seeking to earn a little extra spending money may wish to explore these programs as a chance to showcase their skills — while lining their pockets at the same time.