Carter Announces Program for Hackers to Disclose DOD Web Vulnerabilities

Defense Secretary Ash Carter speaks during a news conference at the Pentagon.

Defense Secretary Ash Carter speaks during a news conference at the Pentagon. Alex Brandon/AP

The program launches the same day as the Hack the Army bug bounty program.

Defense Secretary Ash Carter today launched a process for ethical hackers to alert the Pentagon about any vulnerabilities they discover on Defense Department websites.

The vulnerabilities disclosure program comes out the same day DOD launches its Hack the Army bug bounty program, which offers cash prizes for vulnerabilities hackers find in a select group of high-value websites.

The goal of both programs is to provide a clear process for internet security researchers to disclose dangerous vulnerabilities to the Pentagon without fearing they’ll be sued for violating the sites’ copyright protections or laws such as the Computer Fraud and Abuse Act.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“We want to engage with those researchers so we can fix those bugs before the bad guys have a chance to find them,” Charley Snyder, senior DOD cyber policy adviser, said during a media briefing.

Both programs are being managed in cooperation with the bug bounty organizer HackerOne. Hack the Army is the first of several bug bounty programs DOD plans to launch, Snyder said.

The seed of the vulnerability disclosure program arose during a pilot Hack the Pentagon program earlier this year during which hackers uncovered 1,189 bugs and received about $75,000 in bounties.

Several participants found computer bugs outside the scope of the contest and asked how to share them. It turned out there wasn’t a way, Defense Digital Service Chief Chris Lynch said.

“We have actually dissuaded people from telling us about vulnerabilities,” Lynch said during a media briefing. “That’s crazy.”

The vulnerability disclosure program will apply to all publicly accessible DOD websites and be open to any U.S. citizen or resident, Snyder said.

Unlike Hack the Pentagon, both programs will also be open to military and civilian employees, though they won’t be able to get payouts from the Hack the Army bug bounty program, said Lisa Wiswell, digital security lead with the Defense Digital Service.

That could be a boon to military cyber specialists invested in keeping DOD websites secure and see the program as basically free practice, Wiswell said.

DOD is working on ways to provide some financial incentives for ethical hackers who are also federal government or military employees, but hasn’t worked it out with the lawyers yet, Wiswell said.

Private companies including Google and Apple have increasingly adopted disclosure programs and bug bounties as a way to tap the public to find vulnerabilities their own security teams miss.

Many companies are still wary about accepting public bug reports, though, and the security researchers who report them, sometimes called white hat hackers, are often on shaky legal ground.  

DOD officials are hopeful the department’s bug bounty and vulnerability disclosure programs will convince more civilian agencies and companies to launch similar programs, Lynch said.

Unlike Hack the Pentagon, Hack the Army will focus on high-value targets, such as recruiting websites, Wiswell said.

Hack the Army will still be restricted to publicly accessible websites, but many of the recruiting sites are connected to back-end databases that contain sensitive information such as recruits’ personal information, Lynch said.

Those databases aren’t supposed to be accessible to people without proper credentials. If a volunteer hacker discovers a way to reach them, that could lead to a hefty payout, Lynch said.

The minimum bounty payout for Hack the Army will be $100, but there’s no ceiling for payments, Wiswell said. The highest payout during Hack the Pentagon was $15,000, she noted. Because the Army sites are higher value, the payouts are likely to be higher too, Wiswell added.