The Department of Defense (DoD) has put a bounty on computer bugs. For the first time, last Fall the DoD issued a policy saying it will pay people for reporting computer vulnerabilities (bugs) on its HackerOne website. The program creates a legal framework and mechanism for friendly hackers outside of the DoD (known as “white hats” or “ethical hackers” in the world of private industry) to volunteer their time to find vulnerabilities in Pentagon IT systems. Previously, one would face criminal prosecution for trying to hack the Pentagon. Now, hackers who follow the Bug Bounty Rules will not only have amnesty from prosecution, but they may even get paid!
Taking a play out of the crowdfunding playbook, the DoD’s revolutionary Bug Bounty Program provides a financial incentive for ethical hackers to spend time and resources finding and reporting vulnerabilities in Pentagon networks. In a test run last year, the DoD teamed up with Silicon-Valley based HackerOne for a “Hack the Pentagon” project. 1400 hackers were invited to participate in a 24-day competition. During that time, the hackers found 138 new vulnerabilities that were fixed. And the program only cost the DoD about $150,000 – a huge savings over the roughly $1 million cost of hiring a private firm to do an audit and vulnerability assessment.
To expand the successful test, the DoD has awarded contracts to two HackerOne and another Silicon-Valley based firm, Synack, to manage the new crowdsourcing-like project. This is an interesting spin of the private sector’s “white hat” hacking initiatives.
© 2017 Duke Law Office PLLC and CyberSmart Law. This blog is a copyrighted work of Duke Law Office PLLC and CyberSmart Law. No portion of it may be reproduced or distributed without the express written permission of Duke Law Office PLLC and CyberSmart Law. None of the information contained in this blog is intended to constitute, nor does it constitute, legal advice or a solicitation of any particular prospective client. For further information, please contact Emily E. Duke at eduke@DukeLawOffice.com.