The U.S. Department of Defense (DoD) has historically relied on internal testing and quality control processes to secure top-secret information and technology. Under Secretary of Defense Ash Carter’s leadership, the DoD shifted the culture of their security program from closed systems to crowd-sourced security. During the launch of the first bug bounty program in Federal government history, Secretary Carter stated, “’Security through obscurity” is often our default position. For many of our networks and applications, there’s good reason for that. But the more friendly eyes we have on some of our systems, networks, websites, and applications, the more gaps we can find, the more vulnerabilities we can fix, the greater security we can provide our warfighters .”
Hacker-Powered security utilizes the external hacker community to find unknown security vulnerabilities and reduce cyber risk. These activities are facilitated through bug-bounty programs, which proactively invite security researchers around the world to expose a company’s vulnerabilities in exchange for monetary and reputational rewards. The first bug-bounty program dates back to 1995, when Netscape offered cash for vulnerability reports against its web browser. Fifteen years later, these programs have become industry standard amongst technology companies like Google and PayPal. These bounty programs popularized crowdsourced security and fueled the growth of bug-bounty-focused startups like HackerOne and Bugcrowd, which offer platforms that connect organizations with ethical hackers, known as white-hat hackers. By crowd-sourcing security testing, organizations create an external monitoring system that identifies critical bugs faster than internal controls .
Launching Hack the Pentagon
In 2016, the DoD invited 1,400 hackers to identify and resolve security vulnerabilities within the Defense Department’s public facing website. It took 13 minutes to discover the first vulnerability and over the course of the next 6 hours, hackers submitted over 200 findings, earning $75,000 in reward money .The success of this pilot led to the expansion of bug-bounty programs to other departments within the DoD. Hack the Air Force paid out $103,883 in bounties to freelance hackers who discovered 106 vulnerabilities over a 20-day period .
Hack the Army paid $100,000 in bounties for 416 reports – the first bug was found in 5 minutes. The army asked hackers to target operationally significant websites and discovered a critical vulnerability that enabled attackers to move from a public facing website, www.goarmy.com to an internal DoD website that required special credentials to access. The hackers were able to access the DoD’s internal network through an open proxy, which meant the routing wasn’t shut down the way it should have been. Once reported the Army Cyber Protection Brigade was able to immediately remediate the issue, stopping future attackers from exploiting this chain of vulnerabilities .
The DoD’s bug-bounty programs have resulted in the successful resolution of 5,000 security vulnerabilities and have since expanded its scope to more sensitive systems like the department’s travel booking system. Defense Travel System (DTS) guards sensitive information for millions of government employees and contractors, making it one of the most widely-used pieces of enterprise software in the U.S. government. Hackers employed a variety of methods, including social engineering, to expose over 100 vulnerabilities .
While bug-bounty programs are now prevalent across the software industry, the security researchers who participate have faced decades of abuse in the form of formal legal suits filed, inappropriate referrals to authorities, public attacks, and misguided laws that seek to ban or criminalize good faith security research and publication . When considering crowd-sourced security, organizations need to first establish a Vulnerability Disclosure Policy (VDP), which is the legal foundation that enables all bug-bounty programs and outlines a method for receiving vulnerability submissions from the outside world .
Following the success of their bug-bounty programs, the DoD published a VDP that described the legal avenue for any hacker to disclose vulnerabilities in any DoD public-facing systems. Hackers now have clear guidance on how to legally test for and disclose vulnerabilities in DoD’s websites that may be out of scope of live bug-bounty challenges. This policy is the first of its kind for the U.S. Government and serves as a bold commitment to bringing diverse perspectives to protect and defend the nation’s assets.
Governments have a responsibility to be responsible caretakers of the private data they guard. Will other branches of the Federal government adopt crowd-sourced security? How will this model work in government agencies that depend heavily on technical contractors? How can bug-bounty programs be implemented at the local level and amongst government-managed institutions like power plants? Trailblazing paths to make society safer is a vital role government need to take. The DoD has taken the opportunity to be leaders in working with the security researcher community. Hack the Pentagon should serve as a model for other government departments to follow, and I believe many more will. 
 Government – Hack The Pentagon – Hacker Powered Security Testing. (n.d.). Retrieved November 12, 2018, from https://www.hackerone.com/resources/hack-the-pentagon
 O’Neill, P. H. (2018, May 31). Pentagon’s latest bug bounty program pays out $80,000. Retrieved November 13, 2018, from https://www.cyberscoop.com/hack-the-dts-dod-hackerone-bug-bounty-pentagon
 Hack The Army Results Are In. (2017, January 19). Retrieved November 12, 2018, from https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In
 Pomerleau, M. (2018, October 26). DoD bug bounty program to expand to more sensitive systems. Retrieved November 13, 2018, from https://www.fifthdomain.com/dod/2018/10/24/dod-bug-bounty-program-to-expand-to-more-sensitive-systems/
 Carter, Ash.“The Pentagon’s First Bug Bounty Exceeded All Expectations.” U.S. Department of Defense, June 17, 2016.
 Wong, C., Shema, M., & Warner, T. L. (2017). Crowdsourced Pen Testing for Dummies (1st ed., Vol. 1, Cobalt Edition). Hoboken, New Jersey: John Wiley & Sons.
 Evans, C. (2018, March 21). Protecting Security Researchers. Retrieved November 13, 2018, from https://blogs.dropbox.com/tech/2018/03/protecting-security-researchers/
 Vulnerability Disclosure Policy Basics: 5 Critical Components. (2017, August 10). Retrieved November 13, 2018, from https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components
Image source: https://www.synack.com/hack-the-pentagon/