Joseph Marks | Nextgov | November 21, 2016 | 0 Comments

Carter Announces Program for Hackers to Disclose DOD Web Vulnerabilities

Defense Secretary Ash Carter speaks during a news conference at the Pentagon. Alex Brandon/AP

Defense Secretary Ash Carter today launched a process for ethical hackers to alert the Pentagon about any vulnerabilities they discover on Defense Department websites.

The vulnerabilities disclosure program comes out the same day DOD launches its Hack the Army bug bounty program, which offers cash prizes for vulnerabilities hackers find in a select group of high-value websites.

The goal of both programs is to provide a clear process for internet security researchers to disclose dangerous vulnerabilities to the Pentagon without fearing they’ll be sued for violating the sites’ copyright protections or laws such as the Computer Fraud and Abuse Act.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“We want to engage with those researchers so we can fix those bugs before the bad guys have a chance to find them,” Charley Snyder, senior DOD cyber policy adviser, said during a media briefing.

Both programs are being managed in cooperation with the bug bounty organizer HackerOne. Hack the Army is the first of several bug bounty programs DOD plans to launch, Snyder said.

The seed of the vulnerability disclosure program arose during a pilot Hack the Pentagon program earlier this year during which hackers uncovered 1,189 bugs and received about $75,000 in bounties.

Several participants found computer bugs outside the scope of the contest and asked how to share them. It turned out there wasn’t a way, Defense Digital Service Chief Chris Lynch said.

“We have actually dissuaded people from telling us about vulnerabilities,” Lynch said during a media briefing. “That’s crazy.”

The vulnerability disclosure program will apply to all publicly accessible DOD websites and be open to any U.S. citizen or resident, Snyder said.

Unlike Hack the Pentagon, both programs will also be open to military and civilian employees, though they won’t be able to get payouts from the Hack the Army bug bounty program, said Lisa Wiswell, digital security lead with the Defense Digital Service.

That could be a boon to military cyber specialists invested in keeping DOD websites secure and see the program as basically free practice, Wiswell said.

DOD is working on ways to provide some financial incentives for ethical hackers who are also federal government or military employees, but hasn’t worked it out with the lawyers yet, Wiswell said.

Private companies including Google and Apple have increasingly adopted disclosure programs and bug bounties as a way to tap the public to find vulnerabilities their own security teams miss.

Many companies are still wary about accepting public bug reports, though, and the security researchers who report them, sometimes called white hat hackers, are often on shaky legal ground.  

DOD officials are hopeful the department’s bug bounty and vulnerability disclosure programs will convince more civilian agencies and companies to launch similar programs, Lynch said.

Unlike Hack the Pentagon, Hack the Army will focus on high-value targets, such as recruiting websites, Wiswell said.

Hack the Army will still be restricted to publicly accessible websites, but many of the recruiting sites are connected to back-end databases that contain sensitive information such as recruits’ personal information, Lynch said.

Those databases aren’t supposed to be accessible to people without proper credentials. If a volunteer hacker discovers a way to reach them, that could lead to a hefty payout, Lynch said.

The minimum bounty payout for Hack the Army will be $100, but there’s no ceiling for payments, Wiswell said. The highest payout during Hack the Pentagon was $15,000, she noted. Because the Army sites are higher value, the payouts are likely to be higher too, Wiswell added.  


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.