In recent years, cybersecurity has morphed into an issue capable of affecting the entertainment industry, financial markets, and even national security and elections. Since hacking is illegal, it’s been difficult for the government to learn from benevolent, “white hat” computer hackers as the Department of Justice continues to crack down on hackers who violate the law, even if it was only being done to expose vulnerabilities in protected systems. However, a Defense Department program might pave the way to ending that prohibition.
Knowing that “the inability of researchers and concerned citizens to disclose vulnerabilities they find inevitably makes the government (or any institution) less secure,” several sections of the Defense Department, including then-Secretary Ash Carter, started Hack the Pentagon, a bounty program to offer cash rewards for hackers who discover software bugs.
Over a 24-day period, dozens of pre-selected security researchers hunted down vulnerabilities in certain public-facing DoD websites, in what was the first federal bug bounty ever run at a federal agency. The department ended up resolving more than 138 unique vulnerabilities, and paid tens of thousands of dollars to 58 hackers. One made a total of $15,000 by reporting multiple bugs.
After that program was deemed a success, the Defense Department conducted a similar experiment with public-facing U.S. Army websites where hackers “found more than 100 unique bugs, and received about $100,000 in total payouts.”
After bugs were being discovered in the days and weeks after the programs ended, the Defense Department announced an open-ended, though rewards-less, program for hackers to legally submit bugs appearing on any public websites operated by the Pentagon. As a result, an additional 3,000 vulnerabilities were discovered. The latest, Hack the Air Force, found 207 bugs.
After seeing the success of the Defense Department’s bug bounties, the General Services Administration and the Department of Homeland Security are exploring similar programs for their own websites and systems.