Strategy, Vulnerability management

Former DoD official recommends single overarching bug bounty program for all U.S. agencies

July 29, 2017

The woman who spearheaded development of the Department of Defense's “Hack the Pentagon” bug bounty program recommended that all federal agencies looking to implement a similar initiative do so under one single umbrella program.

“If we were in a position as a government to have one consolidated organization that could do such a thing, it would make great sense. I think that's absolutely the world in which we're moving, said Lisa Wiswell, former digital security lead with the DoD, at DEF CON 25 on Friday.

Wiswell noted that the DOD developed one bug bounty contract, applying to all individual departments within the agency, which collectively comprise roughly 3.2 million members. “I do think that that model can and should can be pushed to a more federalized government place to make sure there's a certain amount of consistency,” especially in how the government interacts with the researcher community.

No longer representing the U.S. government, Wiswell is now a principal at security engineering and consulting services firm GRIMM, but she is credited with launching the Hack the Pentagon program in April 2016. Around 1,400 researchers and hackers participated in the highly successful pilot program, which ultimately resulted in the discovery of 138 vulnerabilities, while spawning additional bug bounties and later an official DoD vulnerability disclosure policy.

Speaking as part of a larger “Meet the Feds” panel that also featured active members of the Department of Justice, the Food and Drug Administration, and the Federal Trade Commission, Wiswell addressed the challenges surrounding the creation of the first federal bug bounty program.

Certainly one of the biggest issues, if not the biggest, was gaining the trust of hackers, convincing them that the agency was not looking to unearth and track them. Likewise, some members of the DOD were uncomfortable with the lack of control they experienced while outside researchers combed through their code.

"Some of us on the government side have been skeptical of our engagements with you; some of you have been skeptical with you engagements with us. And we keep kind of pushing the envelope a little bit, and it's getting better every single engagement…” said Wiswell.

prestitial ad