Between April 18 and May 12, over 1,400 hackers set their sights on the Pentagon, finding 138 security holes ranging from Cross-Site Scripting attacks to SQL injections. The attacks were so successful, the Pentagon decided to invite the hackers back and make it a regular event.
Those days marked the Department of Defense's first bug bounty, in which participants were asked to seek and destroy potentially dangerous security holes in some of hte public facing websites run by the DoD. The plan worked.
"These functions normally take hundreds of man hours," the Department of Defense noted in a statement. "The entire cost of the Hack the Pentagon pilot was $150,000, with about half going to the hackers themselves."
Not a bad return on investment, apparently, and it's a strategy the DoD plans to expand on in the future.
"The U.S. Government is constantly under attack by hackers, and DoD is no exception. DoD information and networks have been compromised in the past through unpatched or unknown vulnerabilities in websites," the department's report noted. "We believe the concept will be successful when applied to many or all of DoD’s other security challenges. That’s why starting this month DoD is embarking on three follow-on initiatives."
Those initiatives include:
- Developing a responsible disclosure policy, so that in the future attackers can report security flaws "without fear of prosecution."
- Expanding bug bounty programs to other components in an ongoing way.
- Provide incentives for contractors to use bug bounties and code review processes to root out security problems before deployment.
With over 1,819 vulnerability reports (the 138 referenced above were the validated ones), the Pentagon seems pleased with the results.
"DoD will capitalize on its success and continue to evolve the way we secure DoD networks, systems, and information," the agency stated.