Dive Brief:
-
Participants in the first-ever "Hack the Pentagon" bug bounty contest found more than 100 vulnerabilities in the Defense Department’s computer systems, according to a report from RT.
-
The program, the first-ever of its kind offered by the federal government, invited hackers to test the cybersecurity of some public U.S. Department of Defense websites.
-
A total of 1,400 certified hackers participated in the contest.
Dive Insight:
Hack the Pentagon started April 18 and ended May 12. Hackers were expected to find flaws in the Pentagon's security systems, and they succeeded, finding more than 100 of them. Alex Rice, chief technology officer and co-founder of HackerOne, which administered the contest, said that it would have been unusual if no vulnerabilities were found.
Defense Secretary Ashton Carter, speaking at a Washington, D.C. tech forum Friday, praised the program and the white hat hackers who participated.
"They are helping us to be more secure at a fraction of the cost," Carter said. "And in a way that enlists the brilliance of the white hatters, rather than waits to learn the lessons of the black hatters."
While Hack the Pentagon is the federal government’s first bug bounty program, it likely won’t be its last, as the threat landscape continues to evolve and government systems continue to lack adequate security. Companies such as Facebook, Microsoft and Google have conducted bug bounties for years. In April, the Massachusetts Institute of Technology premiered its own bug bounty program. Uber even included a treasure map for its program.
Though the program was generally successful in helping the Pentagon identify vulnerabilities, one hacker who participated in the program said the program definitely had room for improvement, especially around the rules of engagement.
"The bounty brief left some room for interpretation around, 'Is what I’m doing right now something that is okay or is it something that is potentially going to get me in trouble?'" said the hacker, who wished to remain anonymous, according to a report from Archer Security Group. "The combination of that kind of vagueness and just generally mistrusting of the idea of the DoD doing this in the first place. There were a bunch of people that basically opted out."