White House: Government Needs More Bug Bounty Programs

Here’s one major lesson from the final draft of a White House IT modernization report released Wednesday: Cybersecurity needs to move closer to the federal employees who might click on malicious links, visit suspect websites or generally endanger government operations and citizens’ personal information.

Federal technologists have long warned the enterprise-level cybersecurity tools that government has historically relied on—which scan web traffic as it enters and exits government networks—haven’t kept up with the threat.

Government has been slow, however, to adopt the extensive array of tools that sit on individual computers and mobile devices and protect them from hacking.

The final draft of the modernization report recommends collecting security logs from individual applications.

The report also recommends establishing bug bounty programs for specific government applications and computer tools, which are essentially cash prizes for ethical hackers who spot hackable digital vulnerabilities in government systems.

“This information can provide insight into the gaps in security that agencies are experiencing, which informs the types of investments they should make to defend against modern threats,” the report states.

The report also recommends running non-public bug bounty programs in which the ethical hackers participating in the program are vetted in advance, so agencies can submit more sensitive or non-public systems to testing. Pilot bug bounty programs in the Defense Department have vetted participants.

The report also urges continuous vetting of the code running on government systems, threat modeling to determine agencies’ greatest vulnerabilities and that agencies rely, whenever possible, on well-vetted popular systems rather than custom built systems that might offer “security through obscurity.”