Here’s What Government Gets Wrong About Bug Bounties

polygraphus/Shutterstock.com

Congress has gone bananas for bug bounties, but they may not always be the right choice.

Bug bounties are hot in government right now, but the craze may be outpacing the contests’ actual usefulness, bug bounty practitioners tell Nextgov.

The Defense Department has launched four of the ethical hacking contests, which were first popularized at major tech firms and offer cash rewards in exchange for spotting and disclosing dangerous computer vulnerabilities.

Those contests—one each at the Pentagon and Army and two at the Air Force—netted more than 500 valid bug reports and more than $400,000 in payouts to hacker participants. Another contest, announced Monday, will challenge hackers to find vulnerabilities in the Pentagon’s travel booking system, which processes more than 25,000 transactions each day.

Lawmakers have sponsored bills mandating bug bounties at the Homeland Security and State departments.

The White House even urged bug bounties for selected applications and computer tools across the government in a December IT modernization report.

The excitement surrounding government bug bounties, however, takes little account of how difficult they are to pull off and how much work must go into them, practitioners say, especially at federal agencies with limited staff and resources that are scrambling to keep up with the software vulnerabilities they already know about.

“[Those agencies] don’t need outsiders pointing out more bugs in exchange for cash if the problem is keeping up with the volume of bug issues they already know about,” said Katie Moussouris, a former chief policy officer with HackerOne when the company helped launch the first Hack the Pentagon bug bounty in 2016.

Bills that mandate additional bug bounties, she said, are “well-meaning, but misdirected,” and would reroute money that would be better spent beefing up agency’s existing IT security teams.  

Who’s working on clean up?

The biggest problems come down to resources and maturity, Moussouris and other bug bounty practitioners say.  

When a major tech firm announces a bug bounty, you can be pretty sure that the company’s own security staff has already cleared out all the low-hanging fruit. That staff also probably knows just the sort of bugs they’re looking for and how to communicate with independent security researchers about those bugs.

Finally, the company’s security team probably has the resources and mandate to get the new vulnerabilities that independent hackers uncover patched as soon as possible.

The Pentagon and military services, which have staff and resources at least on par with major companies, can count on the same, though, perhaps, with a tad more bureaucracy.

When it comes to civilian government agencies, however, many are struggling to keep up with patching the bugs they already know about, including vulnerabilities that are regularly-disclosed in open source software and by major commercial software, vendors such as Microsoft, Oracle and Adobe.

Civilian agencies frequently miss deadlines for installing new software patches, according to audits. If agency IT staff can’t keep up with patching the hackable software flaws they know about, it won’t do much good to bombard them with dozens, hundreds or even thousands of new bug reports, practitioners say.

There’s also the issue of the resources to manage the bounty program itself.

If agencies aren’t vetting their software for obvious vulnerabilities, they’re also likely to receive dozens of duplicate reports about the same bug, practitioners said.

Plus, even the best bug bounty will draw a high proportion of bogus, confused or poorly vetted reports. During the Hack the Army competition, for example, which focused on comparatively well-vetted software, participants submitted 416 bug reports but only 118, or about one-fourth, were deemed “unique and actionable,” according to the Army report.

All of that takes time to sort through and reduces the time an agency’s IT staff can spend on its other responsibilities—including patching known vulnerabilities.

“The Defense Department has an enormous workforce that’s responsible for [patching], both internal and contractor,” said Lisa Wiswell, a former top Defense Department cyber adviser who helped organize the Pentagon bug bounty with HackerOne.

“Forgive the example, but who the hell’s at the Department of the Interior to fix their stuff?” Wiswell asked.

And That’s Just For Starters

There are plenty of other possible barriers to government bug bounties.

To begin with, government apps and websites are typically built by contractors rather than by the agency’s own IT staff and those contracts may be years old. If the contracts don’t include a provision requiring the contractor to participate in a bug bounty or to fix publicly submitted vulnerabilities, that could be a stumbling point.

Contractor-built tech systems are also common in the private sector, but the problem tends to be more prevalent and thornier in government, said Marten Mickos, CEO of HackerOne, the security company that facilitated all the Pentagon bug bounties.

Government, especially on the civilian side, also buys and updates its technology using an arcane and convoluted acquisition system that can make it difficult to make big moves, such as mandating compliance with a bug bounty.

Following the Hack the Pentagon pilot, defense officials shifted to ensure future tech contracts both permitted bug bounties and required agencies to fix vulnerabilities that were discovered during the process, the former defense official Lisa Wiswell said. That didn’t fix problems with current contracts, though, said Wiswell, whose official title at the Defense Digital Service was “bureaucracy hacker.”

Another problem is that bug bounties, by their very nature, deal with some gray areas of law and policy. That’s partly because internet security research is largely governed by pre-internet laws that are being interpreted in the internet era, such as the 1986 Computer Fraud and Abuse Act.  

If a bug bounty is written too broadly or carelessly, for example, it might seem to authorize illegal and malicious hacking of sensitive information, Moussouris said.  

This is a concern for private companies, but it really gives government officials heartburn, she said, noting that government agencies not only hold an inordinate amount of sensitive and legally protected information but are also among the most targeted organizations in the world, both by criminal hackers and nation-state intelligence services.

That’s just the beginning of the myriad legal and policy concerns an organization faces when running a bug bounty—concerns are particularly important for government.

A bug bounty organizer, for example, must ensure that no bounty money goes to a person or organization targeted by U.S. sanctions, must shield her organization from third-party lawsuits that might crop up as a result of something going haywire during the bounty and must create a plan for when a participant breaks the rules.

Finally, there’s the issue of building relationships between a government agency and the ethical hacker community, which might be skeptical about that agency’s mission or policies.

In advance of Hack the Pentagon, Moussouris reached out to a number of prominent ethical hackers to explain the program and build support, she said. After the announcement, she spent a lot of time on social media answering questions and making sure people understood correctly what the program was about.

“These were influential hackers who might have strong opinions if they misunderstood what DOD was actually trying to do,” she said.

Like most security researchers, Moussouris would like to see more government agencies adopt vulnerability disclosure policies, or VDPs—a cousin to bug bounties in which organizations describe how well-meaning researchers can pass along computer vulnerabilities in their public-facing apps and websites but don’t offer cash rewards.

She’s skeptical, however, of the congressional push for full bug bounties, and thinks federal money could be better spent building up agencies’ own ability to test their systems for vulnerabilities and patch the vulnerabilities that are exposed.

“There’s an absolute misunderstanding by members of Congress who say ‘let’s just repeat the success of Hack the Pentagon,’” Moussouris said. “They don’t understand the years of advisory work that happened leading up to Hack the Pentagon…One very unfortunate effect of all the work that went into making Hack the Pentagon successful is that now people think it’s easy and it’s not.”

Hacking DHS and State

The only civilian government division to launch a bug bounty, so far, is the General Services Administration’s IT innovation wing, the Technology Transformation Service, which has a limited web presence and a highly-sophisticated IT staff, many of whom have backgrounds in the private sector.

Lawmakers in both chambers, however, have introduced bills mandating a bug bounty at the Homeland Security Department and a House bill would mandate one at the State Department.

The most prominent Senate version of the Homeland Security bounty was included as an amendment, sponsored by Sen. Maggie Hassan, D-N.H., to a bill reauthorizing the full department. The House version is in a stand-alone bill sponsored by Reps. Scott Taylor, R-Va., and Ted Lieu, D-Calif. Lieu also co-sponsored the State Department bounty with Rep. Ted Yoho, R-Fla.

The Homeland Security Department is the lead government agency for civilian cybersecurity and manages numerous governmentwide cyber programs out of its cyber operations office, the National Protection and Programs Directorate. The department is also large and diverse, however, constructed from ad hoc elements after the Sept. 11 terrorist attacks, and some of its divisions are less than prepared for a full bug bounty, practitioners say.  

The overall department got middling grades on its annual information security scorecard and many divisions have been slow to implement the department’s own governmentwide mandates for cybersecurity.

The bills’ wording leaves open the possibility the bug bounty could be limited to the most digitally advanced Homeland Security divisions.

The State Department has received consistently poor cybersecurity marks in audits going back several years. The department also suffered a major email breach in 2014 that was likely launched by Russian government-backed hackers.  

A staffer for Rep. Lieu disputed the notion, Monday, that the State Department isn’t ready for a bug bounty, saying: “Our understanding is that the State Department already has the resources to move forward with our bill’s provisions.” If State officials are concerned that they’re not ready, however, they can “always flag major resource concerns that they hope to address as we move the bill through the committee process,” the staffer said.

The staffer also noted that the bill calls for a vulnerability disclosure policy within six months and a pilot bug bounty within one year to avoid “putting the cart before the horse.”

Ari Schwartz, a former top cyber advisor to President Barack Obama, provided a quote praising the vulnerability disclosure portion of the State Department bounty bill that Lieu and Yoho included in their press release.

If the bill advances, however, Schwartz would want to work with the sponsors to ensure a bug bounty wasn’t imposed on the State Department before it’s ready, he told Nextgov.

“I do think having a vulnerability disclosure program is a good idea for [the State Department],” said Schwartz who currently leads the Coalition for Cybersecurity Policy and Law, an advocacy group for cybersecurity companies.

“Whether that leads to large cash rewards immediately the way DoD moved is open for discussion,” he said.

Starting the Discussion

Schwartz noted, however, that the Hack Your State Department bill is “a good discussion point” that highlights concerns about where the department’s security program is now and where it ought to be.

The bill also tells that story in a way that’s easily comprehensible to other lawmakers, which is a useful service even if the bill doesn’t become law or doesn’t become law in its current form, Schwartz noted.

Marten Mickos, the HackerOne CEO, similarly acknowledged that some civilian agencies may not be mature enough for bug bounties, but said he nevertheless supports the legislative push for them.

“We’re not focused on the essence if we get upset by that,” he said. “The essence is lawmakers know they have to set a bar and set a mandate for this and we should support that…I don’t think any action is happening too fast. Whatever we’re doing in cybersecurity we’re doing it too slow.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.