Defense Department testing paid bug bounty program this week

An aerial of the Washington Monument and the Lincoln Memorial in Washington on May 12, 2021. The Pentagon announced significant changes to the Cybersecurity Maturity Model Certification program this week. (Air Force Staff Sgt. Brittany A. Chase/Defense Department) — The Defense Department is piloting a paid bug bounty program from July 4 to July 11, 2022. Pictured: An aerial view of the Pentagon is seen on May 12, 2021. (Air Force Staff Sgt. Brittany A. Chase/Defense Department)

The Chief Digital and Artificial Intelligence Office Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) this week are piloting monetary rewards for ethical hackers who provide critical and high severity vulnerability information to the DoD Vulnerability Disclosure Program.

From July 4 to July 11, high and critical severity findings only will be eligible for a bounty on any publicly accessible information systems, web property, or data owned, operated, or controlled by DoD.

The bounty pool for this program has been set at $110,000. Individual monetary payouts will be awarded at $1,000 for critical severity reports, $500 for high severity reports, and additional specialty categories will receive $3,000

Given the threat landscape, many organizations are tapping in to the community of millions of good-faith hackers around the world who are skilled, ready, and willing to help, said Casey Ellis, founder and CTO at Bugcrowd. Ellis said DoD has been running a vulnerability disclosure program for many years with great diligence and success, so to see them “upgrade” this to a paid bug bounty program makes a lot of sense.

“There’s a ton of technology already deployed, our rate of deploying new technology only increases and accelerates, and the adversaries we face continue to get better skilled, more aggressive, and more diverse,” Ellis said. “There are certainly security technology solutions which continue to be invented and used, but at the end of the day cybersecurity is a fundamentally human problem — therefore humans will also — and most likely increasingly — have a major role to play in defending the internet.”

While bug bounty programs are not perfect, they do help by giving researchers some incentive to hunt for flaws knowing they can be rewarded for their efforts with more than just bragging rights, said Mike Parkin, senior technical engineer at Vulcan Cyber.

“With the sheer complexity of modern code and the myriad interactions between applications, it’s vital to have more responsible eyes looking for flaws,” Parkin said. “We know threat actors are doing it to find exploits they can leverage. Honest researchers should have some form of incentive as well. It takes a certain level of application maturity to be in a position to offer bug bounties, and not all companies have reached that point. Those that do tend to be large, with a large install base, and a mature development model that can take advantage of outside independent resources that bug bounties encourage.”