Insight by HackerOne

How agencies can benefit from good hackers

The Defense Department launched the first Hack the Pentagon in spring 2016—five years ago.

The success of this crowdsourced approach to cybersecurity led to DoD establishing its first vulnerability disclosure policy, which created a safe, secure and legal avenue for private citizens worldwide to report vulnerabilities found on public-facing DoD websites and applications.

It also serves as a bridge between the DoD and security researcher community to work openly and in good faith together to identify and disclose vulnerabilities. DoD has held 14 public and 10 private bug bounty programs and paid out hundreds of thousands of dollars in response to private sector experts finding problems.

These efforts have led to the expansion of this good guy hacker approach to cybersecurity across the military services and into the federal civilian world.

From bug bounty programs to vulnerability disclosure program or VDPs, agencies are seeing the value of these approaches to securing networks and applications.

Alex Rice, the co-founder and chief technology officer at HackerOne, said over the last five years, DoD has identified more than 10,000 vulnerabilities through bug bounty and other similar programs.

“A large percentage of them are from the Defense industrial base,” Rice said during the Federal Insights: Understanding the Versatility of Crowdsourced Cybersecurity sponsored by HackerOne. “If you’re asking the public to assess your attack surface, it’s unheard of these days that it doesn’t involve some element of the of the supply chain. So we try to structure these programs so that the good hackers behave like the bad guys. Just a little over a month ago, the Department of Defense expanded their vulnerability disclosure policy to cover the DIB as well. So now they’ve explicitly set up a structure where anyone in the DIB can opt in to the DoD’s overall vulnerability disclosure policy. Within the first week, there were over 50 participants and a few dozen vulnerabilities identified in the DoD’s supply chain. So it goes to show that this this approach works across the most diverse attack services out there.”

Rice said the VDP program for defense contractors offers a path to not only find problems, but gives them a safe way to report those issues.

The VDP, bug bounty and other similar approaches aren’t just limited to big networks or systems. Rice said they can be used for everything from cloud instances to DevSecOps development to public facing websites.

“Rather than filling up good hackers’ time with the usual fluffy reports that we’re used to in those in those types of engagements, they’re paid if they actually are able to demonstrate impact. What that means is we ended up recruiting a very diverse and very talented group of folks to perform in these types of engagements. We’re able to get specialists that are specialized in one particular piece of it, that might not be able to participate to run a classic assessment against it,” he said. “You can have a very refined best of the best talent engaged in a pay-for-performance model that just compliments the existing structure you’ve been doing, but always delivers something that those traditional approaches missed.”

The benefits of using outside experts are many, including finding blind spots in your network and taking advantage of a broader knowledge base that comes from relying on these experts.

“If you’re at the stage where you’re deliberately thinking about how do I augment my cybersecurity program with hackers and rewarding them for it, there’s a few things to keep in mind as you go about it,” Rice said. “First things first, hackers are going to find things. Nobody runs these programs and doesn’t learn something they didn’t know beforehand. You want to make sure you’re in a position to be able to action those findings, typically into a vulnerability management program. But you want to think about what are all of the things that we’re asking hackers to look for, and what are we going to do about it once they find it. That means making very close allies with your vulnerability management and incident response practices before you before you kick this off.”

Rice said there are two basic types of program. One is a point and time program that is similar to a penetration test and security assessment.

The second type is for more mature organizations that are looking for more feedback.

“The most powerful aspect of these types of programs is the ability to evolve them into a continuous security testing program. These are the type of bounty programs that you see, folks like Google and Facebook pioneering, Microsoft and Amazon are huge proponents of them as well, at this point. You’re starting to see more traditional enterprises embrace them as well like Goldman Sachs and General Motors,” he said. “They’re meant to find and explore new attack surfaces fast and continually give security feedback into your security programs.”

Rice added incorporating the continuous feedback loop and responding to it will create stronger, more resilient networks and systems.

Good Hackers

It's a diverse community of folks from various backgrounds that participate in finding security flaws in software in incentivized manners. For example, we ran a one of the early bounty programs with the Hack the Air Force and we had about 130 participants in it. The top participant from that program was a sophomore in high school at that period of time was perfectly capable of hacking the Air Force as he demonstrated, but normally wouldn't be given that opportunity in a traditional vetted environment.

Incorporating Hackers into a Security Program

First things first, hackers are going to find things. Nobody runs these programs and doesn't learn something they didn't know beforehand. You want to make sure you're in a position to be able to action those findings, typically into a vulnerability management program. But you want to think about what are all of the things that we're asking hackers to look for, and what are we going to do about it once they find it. That means making very close allies with your vulnerability management and incident response practices before you before you kick this off.

Listen to the full show:

Featured speakers

  • Alex Rice

    Co-Founder, Chief Technology Officer, HackerOne

  • Jason Miller

    Executive Editor, Federal News Network

Resource Center

  • HackerOne empowers the world to build a safer internet. As the world’s most trusted hacker-powered security platform, HackerOne gives organizations access to the largest community of hackers on the planet. Armed with the most robust database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organizations across all industries and attack surfaces. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Intel, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Qualcomm, Slack, Starbucks, Twitter, and Verizon Media.
  • DOD Expands Hacker Program to All Publicly Accessible Defense Information Systems