Ongoing bug-bounty pilot pinpoints many vulnerabilities in DOD’s cyberspace

(Getty Images)

White-hat hackers in the U.S. and overseas are uncovering potentially serious vulnerabilities in the Defense Department’s cyber assets through a bug bounty program, with an $110,000 pool that cybersecurity company HackerOne and several Pentagon components are hosting between July 4 and 11.

The initiative — known as Hack U.S. — is enabling the DOD to experiment with paid public incentives in its vulnerability disclosure program (VDP) to see if such approaches could result in more high-fidelity findings with greater impact.

HackerOne launched the department’s very first bug bounty program, Hack the Pentagon, with the Defense Digital Service (DDS) in 2016. DDS is now part of the newly structured Chief Digital and Artificial Intelligence Office (CDAO), which is overseeing the latest bug bounty pursuit with DOD’s Cyber Crime Center (DC3). 

With Hack U.S., “for the first time, we’re paying for submitting vulnerabilities against the entire DoD scope of assets numbering in the tens or hundreds of thousands,” CDAO spokesperson Kathleen Clark told FedScoop on Friday.

“At the end of the fourth day, we have paid out 90 unique high and critical vulnerabilities with an additional 78 reports left to be triaged,” she said, noting that the “impact of the vulnerabilities ranged from a serious headache” to an Office of Personnel Management-level protected health information (PHI) and personally identifiable information (PII) risk.

By that point, 111 unique vulnerabilities that were not severe enough for a payout were also pinpointed. Those will be addressed under the traditional disclosure program.

“In an effort to attract top talent to help improve the DOD’s cybersecurity posture, we are proud to partner with DC3 and HackerOne to pilot a program to offer researchers financial incentives through the VDP for the first time. This effort has proven to be a step in the right direction given the robust response and the disclosure of critical vulnerabilities,” Katie Olson Savage, deputy chief digital and artificial intelligence officer and DDS director, told FedScoop.

The program is ultimately intended to drive security researchers to properly conduct vulnerability discovery activities spanning publicly accessible Defense Department information systems — and help the department determine how feasible it would be to award such bounties on a continuous basis.

“Only critical and high vulnerabilities that could severely limit the confidentiality, availability, or integrity of a system were eligible for bounty, driving researchers towards big-game bug hunting,” Clark noted.

She said researchers are “participating globally with only minimal restrictions placed on payouts,” and “were explicitly given the .GOV and .EDU scopes that DOD operates for the first time.”

More than 130 unique researchers have submitted findings so far, Clark added, and the program has had multiple “temporary pauses” to keep up with all the reports rolling in. 

“The vulnerabilities discovered by the hacker community during Hack U.S. will offer more air cover on all the assets that help maintain U.S. national security, and insights from reports will help inform how the DOD approaches identifying future threats,” HackerOne co-founder and Chief Technology Officer Alex Rice told FedScoop.

A hostile actor operating against the U.S. could potentially look to exploit these exact vulnerabilities to force cybersecurity forces into a “blue team” defensive posture. 

“Every one of these vulnerabilities [discovered during Hack U.S.] is one less incident the DOD would have to address,” Clark noted.

So far, early evidence suggests that — even at a low bounty payout — this model yields benefits for the Pentagon.

“Funding a paid vulnerability disclosure process is the next evolution of the VDP and will make our nation more secure,” Clark said.