Vulnerability Management

Former DoD official recommends single overarching bug bounty program for all U.S. agencies

The woman who spearheaded development of the Department of Defense's “Hack the Pentagon” bug bounty program recommended that all federal agencies looking to implement a similar initiative do so under one single umbrella program.

“If we were in a position as a government to have one consolidated organization that could do such a thing, it would make great sense. I think that's absolutely the world in which we're moving, said Lisa Wiswell, former digital security lead with the DoD, at DEF CON 25 on Friday.

Wiswell noted that the DOD developed one bug bounty contract, applying to all individual departments within the agency, which collectively comprise roughly 3.2 million members. “I do think that that model can and should can be pushed to a more federalized government place to make sure there's a certain amount of consistency,” especially in how the government interacts with the researcher community.

No longer representing the U.S. government, Wiswell is now a principal at security engineering and consulting services firm GRIMM, but she is credited with launching the Hack the Pentagon program in April 2016. Around 1,400 researchers and hackers participated in the highly successful pilot program, which ultimately resulted in the discovery of 138 vulnerabilities, while spawning additional bug bounties and later an official DoD vulnerability disclosure policy.

Speaking as part of a larger “Meet the Feds” panel that also featured active members of the Department of Justice, the Food and Drug Administration, and the Federal Trade Commission, Wiswell addressed the challenges surrounding the creation of the first federal bug bounty program.

Certainly one of the biggest issues, if not the biggest, was gaining the trust of hackers, convincing them that the agency was not looking to unearth and track them. Likewise, some members of the DOD were uncomfortable with the lack of control they experienced while outside researchers combed through their code.

"Some of us on the government side have been skeptical of our engagements with you; some of you have been skeptical with you engagements with us. And we keep kind of pushing the envelope a little bit, and it's getting better every single engagement…” said Wiswell.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.