The federal market for “white hat” hackers continues to grow. Not only are ethical security burglars popular in the Defense Department, but now the General Services Administration’s Technology Transformation Service (TTS) is setting up a bug bounty program.
TTS issued a draft solicitation in January aiming to set up a program where ethical hackers scan and find vulnerabilities in their cloud-based applications.
“As part of its programmatic focus on security, TTS needs to purchase access to a pre-existing, commercially available Bug Bounty software-as-a-service (SaaS) Platform that will allow it to launch and manage the TTS Bug Bounty program,” the performance work statement said. “This acquisition will give TTS access to a large network of security researchers, people who have an interest — both personally and financially — in helping to find and address bugs and other technical issues within TTS-owned web applications. While the Department of Defense has conducted a bug bounty program, this TTS program will be the first of its kind to be generated by a civilian (or non-DoD) federal agency. Only a select few small businesses are able to provide this software-as-a-service (SaaS) platform and that large network of researchers.”
TTS is asking for insights from vendors on how to set up the program that provides 12 services, including having ethical hackers test up to five applications and set up a secure reporting platform.
“The contractor will provide access to their Bug Bounty SaaS platform for researchers to report vulnerabilities (Platform/Network Access) and allow TTS to manage and track issues across multiple public web applications, triage services for those reported vulnerabilities, disburse rewards for effective vulnerabilities, and explain the reasons behind rejections (Vulnerability Report Triage Services),” the draft stated. “For the platform Access, GSA IT has already begun the approval process for the three known contractors in the industry. For the Vulnerability Report Triage Services, they must be provided on a ‘per web application’ basis, allowing TTS to operate a Bug Bounty for a web application independently of the other web applications that are utilizing the Platform/Network Access for their own tests. As part of these services, the contractor must provide staff who are specialists in reviewing vulnerability reports and communicating with researchers.”
Comments on the draft solicitation were due Jan. 30, and TTS didn’t offer any timetable for when and if a final solicitation would be forthcoming.
The fact that TTS decided to jump on the bug-bounty bandwagon isn’t surprising.
The Defense Department and the Army have found success with this approach, as have a host of private sector firms, including Google, Facebook, Microsoft and Yahoo!.
The concept of a bug bounty is quite simple: Hire or offer a prize to the ethical hacker community for finding problems with software. It’s the idea of crowdsourcing cybersecurity, but in a more formal and trusted way.
“If a software company used to pay, let’s just say, $100,000 to a contractor for cybersecurity services every few years, for the same money with a bug bounty, you can find twice as many critical vulnerabilities. Developers say the information is better and easier to find problems and fix them,” said John Pescatore, director of emerging security trends at the SANS Institute. “It’s a lot of effort to do it right, but when it’s done right, it really pays off. If you think about that same $100,000, when you factor in overhead, that’s probably maybe 500 hours of labor with one-third going to program management, so let’s say it’s more like 400 hours, which is equivalent to 10 person weeks of technical effort. A lot of that is preparing documents, so in reality if you get two man-months for that $100,000.”
He said with a bug bounty, an organization spends 90 percent of its money on technical expertise versus about 60 percent in the more traditional way.
Synack co-founder and chief technology officer, Mark Kuhr said the use of a bug bounty requires organizations to take an uncomfortable approach to fixing software.
“Some companies and agencies’ first reaction may be to clamp down and reinforce their defenses against third parties. To beat a hacker, you have to think like a hacker, and agencies are now realizing that a crowdsourced security program can help them significantly bolster their security defenses against cyber adversaries,” said Kuhr in an email to Federal News Radio. “There is a misconception of the hacker community that hackers are ‘the bad guys.’ Trust is building between government leaders and security researchers. These researchers, or ethical hackers, often have massive conviction to doing what is right. They are modern day soldiers with a desire to use their talents to help protect their families, friends and countries. A number of our hackers have been part of the National Security Agency at some time in their career. Today ethical hackers are helping agencies identify their largest vulnerabilities and providing intelligence to help them fix and protect against similar issues in the future.”
Synack is one of two companies that won follow-on contracts from the “Hack the Pentagon” contest. Under the deal, Synack and HackerOne will help run as many as 14 other “white hat” hacker events where participants will earn payments for discovering security flaws. Synack also is helping the IRS protect its systems through a similar ethical hacking approach.
Kuhr said TTS’ approach to bug bounty follows the direction of the Pentagon’s approach, focusing on both finding vulnerabilities as well as generating high-quality security intelligence.
“TTS clearly understands that signal to noise ratio is critical and that strong triage services are key to an effective program. A program with a low signal to noise ratio runs the risk of burying devastating vulnerabilities in the noise of less critical findings,” Kuhr said. “Pulling the manpower needed to triage the many vulnerabilities discovered can be distracting and undermine other functions. It is important that a program has a way to dig into vulnerabilities to assess the damage that could be done and prioritize all necessary actions.”
Pescatore said organizations using the bug bounty concept need to stay away from a common mistake — holding the bounty after the software already is in production.
“Instead of doing it after the application is online, organizations should hold the bug bounty before because that’s where the biggest bang for the buck comes,” he said. “The more vulnerabilities you find, you have to be able to fix them. But when you fix them, you have to be sure they do not create new ones.
Agencies were doing testing, but not fixing the vulnerabilities. The crowdsourced approach is great when the staffing or capabilities to fix the problems is there and can be done without creating new ones.”
Both Pescatore and Synack lauded TTS for developing a bug bounty program. Pescatore said bug bounties give agencies access to skilled cyber citizens and lets them understand and address the most critical vulnerabilities first.