When the Pentagon announced the “Hack the Pentagon” event back in March, many wondered what kinds of vulnerabilities hackers would find when checking government websites for bugs. Now we know.
Image by David B. Gleason
According to Defence Secretary Ash Carter, more than 250 participants out of the 1400 submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be “legitimate, unique and eligible for a bounty”, he said. The bounties ranged per person from $US100 ($135) to around $US15,000 ($20,285) if someone submitted multiple bugs.
The pilot program, which ran from April 18 to May 12, cost about $US150,000 ($202,853), with around half of that going to participants. The results were released on Friday, according to the US Department of Defence’s website.
“Hack the Pentagon” was deemed a cost-effective way to scour five of the US defence departments’ websites (defence.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil, according to a DoD spokesman) for security bugs. Instead of going to outside security firms, which would have cost upwards of $US1 ($1) million, the government instead recruited amateur hackers to do it for much less, some who were only in high school.
In addition to reporting on the number of bugs, Carter also said that the government has worked with HackerOne, a bug bounty platform, to fix the vulnerabilities and that the department has “built stronger bridges to innovative citizens who want to make a difference to our defence mission.” Carter wants the “bug bounty” program to extend to other areas of the government and wants to ensure that hackers and researchers can report bugs without a dedicated program.
“When it comes to information and technology, the defence establishment usually relies on closed systems,” he said. “But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters.”
Many website already have bug bounty programs in place, but it was the first time the federal government had come up with such a program. It’s good experience for young hackers and security fiends who want to try and hack a government agency, although that’s a small amount of money for their time.