Pentagon is far too tight with its security bug bounties

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense’s IT systems doesn’t carry a high reward.

The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug bounties and another $35,000 in bonuses and awards to ethical hackers who disclosed critical- and high-severity vulnerabilities in Uncle Sam’s networks.

For comparison: an F-35 fighter jet costs between $110 million and $136 million, depending on the model, and that price tag will likely increase when the Pentagon buys the next batch from Lockheed Martin. And at $33,600 per flight hour for a stadium flyby, the bounty for critical software vulnerabilities comes up short in comparison.

Of course, bug hunters can’t drop bombs or surveil enemies from the air. But their work can, say, prevent private snoops and foreign spies from disruption these fighter operations or co-opting their reconnaissance missions. 

According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. Information disclosure flaws were the most commonly reported vulnerabilities, followed by improper access controls and SQL injection. 

The Pentagon didn’t say how many bug hunters received rewards, or how much they each earned. 

However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *.army.mil.

Hello private sector

Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize. And Google awarded $8.7 million during 2021.

“The most successful bug bounty programs strike an even balance between monetary and social benefits,” Google’s Eduardo Vela, who leads the Product Security Response Team, told The Register.

“For bug hunters, there must be a monetary incentive to get them to participate – but, there’s also value in creating a space where folks can get together, connect with one another, and hack as a team. Bringing together the top bug hunters requires both – one without the other is not enough.”

It’s also worth noting that the DoD’s pilot vulnerability disclosure program, which ended in April, didn’t pay any monetary rewards. So at least Hack US, with its paid (albeit measly) bug bounties, is a step up from that.

“We have to make sure we stay two steps ahead of any malicious actor,” said Katie Savage, deputy chief digital and artificial intelligence officer at the Directorate for Digital Services, in a statement. “By paying out monetary rewards to ethical hackers, we harden our defenses in a very impactful way.”

Some in the infosec community, however, say it isn’t very impactful at all. 

The Pentagon’s focus should extend beyond rewards and include real investments in security, according to Katie Moussouris, founder and CEO of Luta Security.

“The overall security strategy around US government bug bounties really hasn’t evolved past playing whack-a-bug, and needs to evolve beyond discussions of bounty price,” Moussouris told The Register.

“Where is the ongoing investment in people, processes, and technology to address or prevent most of these security holes before a bug bounty hunter can find them?

“Unless DoD wants to look like every other private company that says they ‘take security seriously’ just because they have a bug bounty, they need to start showing how these programs are directing their broader security efforts and aiming for meaningful security goals, not bounty award totals to generate headlines.”

Moussouris, in her previous roles at Microsoft, persuaded management to start Redmond’s first bug bounty program. Then later, at HackerOne, she worked with the DoD to launch Hack-the-Pentagon, which was the first-ever federal bug bounty program.

CISA’s Known Exploited Vulnerabilities (KEV) list is a good start for the rest of the U.S. government to patch these old vulnerabilities on their own, but in my most recent NIST ISPAB public meeting, CISA revealed that over 1.4 million Internet-accessible non-military government systems had not patched those bugs,” Moussouris said. “Houston, we still have a problem across the entire government security space.” 

Finding and reporting bugs won’t solve the problem, she added. “Our national security depends on us growing the cyber workforce to work inside organizations to prevent and detect these security holes early, not waiting for the crowd to help us.” ®