The Department of Defense’s newly expanded bug bounty was just as much about hacking government culture as it was about finding actual software flaws.
Thanks to Defense Digital Service (DDS), the unit that drove the DoD’s month-long Hack the Pentagon bug bounty pilot, Defense received 138 qualifying bug reports from 117 of the 1,410 the hackers that registered for the bounty.
DDS’ “bureaucracy hacker” Lisa Wiswell highlighted on Monday in a post on Medium that the first valid report arrived just 13 minutes after the pilot went live.
But getting the program off the ground wasn't easy. Wiswell and her team needed to “hack them all” — meaning lawyers, contracting officers, and DoD bureaucrats — to plot a new path for Defense to navigate “around our outdated and often restrictive policies so we can get shit done at a pace consistent with the tech sector.”
DDS is an arm of the White House's “startup” unit, the U.S. Digital Service, which runs a small team of engineers and techies who are tasked with redesigning the government’s online services.
DoD paid hackers between $100 and $15,000 for each report while the program overall costed $150,000 to run.
Paying for and finding the bugs was an important goal, but U.S. secretary of Defense Ash Carter highlighted on Friday that the exercise was also a new cost-saving approach to government procurement.
"[The $150,000 was] not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," Carter said.
Carter said Defense will now run a permanent bug bounty and provide legal ways for citizens to report security flaws.
The results of the bounty were a “big win” in changing Defense attitudes towards hackers and the security community, according to Wisnell.
“There was a time when DoD branded even the most professional hackers as criminals,” she noted.
The results “proved to the skeptics who believed hackers are dangerous, childish, and intentional lawbreakers, that instead, the hackers who participated in Hack the Pentagon were extremely helpful,” she added.
Wisnell also provided some more details about how the DoD would over coming months “extend olive branches to the hacker community”.
One effort will be a new DoD responsible disclosure policy and a legal avenue for private citizens to report software bugs. This policy outlines the rules for reporting bugs and are aimed at giving software makers enough time to fix and issue a patch for flaws before a reporter publishes their findings.
“Rolling out an enduring vulnerability discovery and disclosure program will begin to normalize this as just another tool in our security toolkit — just as industry has done,” wrote Wisnell.
She also noted that the DoD’s persistent bug bounty would include “specific DoD websites, applications, binary code, networks, and systems.” This expands on the pilot’s five public facing websites, including defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil.
The DDS has also hired Google’s head of combatting web spam, Matt Cutts, who announced on Friday he was “taking a leave from Google” for an unspecified role with DDS for several months.
If his personal views do take shape during his tenure, more government agencies could be adopting bug bounties in the near future, which he thinks could help the government prevent future security incidents, such as the breach of the US government’s Office of Personnel Management (OPM), which exposed private information of 22 million people who’d applied for government vacancies.
“This is my personal opinion, but if bug bounty programs become more common in the government, that would mean that lots more people would be protected from hacks or identity theft,” he wrote on Hacker News.