Pentagon: The US Department of Defense created a short but comprehensive bug bounty program to help users report public-facing vulnerabilities in applications and systems.
Hack US began on Independence Day. It will continue though July 11. The severity and number of flaws determine the reward amounts.
DoD has set aside up to $110,000 for exploit hunting. Vulnerability spots are worth $500 for serious flaws. Critical holes are worth at least $1,000, with as much as $5,000 set aside for particular awards, such as $3,000 for the best finding for *.army.mil.
HackerOne, a bug bounty platform maker, is running the initiative. HackerOne teamed up to run a pilot program for 12 months that ended in April. Hack US offers monetary rewards as part of the calculation.
The department stated in its program outline that the expanded program was intended to provide security researchers with terms and conditions for vulnerability discovery activities directed towards publicly accessible Department of Defense (DoD) information systems.
Private corporations and public agencies are increasingly using bug bounty programs as a way to strengthen security defences in a time when threats are increasing in sophistication.
“Vulnerability disclosure programs and bug bounty programs are effective cybersecurity tools that offer a good bang for your buck,” Rick Holland, CISO and vice president of strategy at cybersecurity vendor Digital Shadows says. These programs complement internal vulnerability management strategies and extend defences’ vulnerability management strategy. A third party can manage vulnerability disclosure and triage for companies.
Holland further states that technology companies that do not offer bug bounty programs are behind the curve. Since almost all companies are now technology companies, public-facing companies should offer bug bounty or vulnerability disclosure programs.
According to Mike Parkin (senior technical engineer at Cyber Vulcan), such programs offer security researchers financial incentives for detecting vulnerabilities that could threaten agencies and companies.
We know that threat actors do it to discover exploits they can use. Honest researchers need to have some incentive, too. Parkin says, “with the complexity of modern code, and the myriad interactions among applications, it is vital to have more responsible eyes looking out for flaws.”
Scraping uses automated tools to “scrape” information from sources such as user profile pages. Microsoft increased the bug bounty program’s reward amounts by up to 30% in April for ethical hackers who found “high-impact bugs” in Office 365 products. Meta, however, expanded its program in December 2021 to include scraping attacks against Facebook.
The global bug bounty market is expanding rapidly, as you can see. All the Research estimates that the market will increase from $223.1 Million in 2020 to $5.4 Billion by 2027. Investors are also flowing to bug bounty vendors. HackerOne announced $49 million in Series E funding in January, while Integrity, a European company, said it had raised $22.3 million in April.
This is not surprising. Edgescan, vulnerability detection and intelligence company, reported that 20.4% of vulnerabilities found in web applications and network infrastructures in 2021 were either high-or critical-risk. Companies and their customers can reduce risk by using bug bounty programs.
Effective bug bounty programs reduce the risk of security flaws that could have put an organization’s customers at risk. Ray Kelly, a Fellow at Synopsys Software Integrity Group, says that bug bounty programs have been very successful for security researchers and organizations. Bug reports can often be paid out in six-figure amounts, which may seem like a lot. The cost of resolving and recovering from a zero-day vulnerability can be millions of dollars.
The DoD’s pilot program, the Defense Industrial Base Vulnerability Disclosure Program (DIB–VDP), ended in April. It was launched with 14 participating companies and 141 assets. However, interest in the program led the agency to increase its size to 41 companies and 348 assets. HackerOne researchers submitted one thousand fifteen reports, and 401 of them were considered actionable for remediation.
In collaboration with HackerOne, the Chief Digital and Artificial Intelligence Office and Directorate for Digital Services (CDAO) are running the new program. According to the DoD, $75,000 of the total reward money will be distributed on a first-submitted basis and first-awarded basis. The DoD also tags the $35,000 for special vulnerabilities awards such as Best Findings in Hack US Event or best domain findings in branches such as the Army, Navy and Air Force.
Casey Ellis, Bugcrowd’s founder and chief technology officer, says that DC3 made the smart decision to add a paid bug bounty program to its vulnerability disclosure program.
“There is a lot of technology that has been deployed. Our rate of deploying new technology increases and accelerates. And our adversaries are getting more skilled, aggressive, and diverse.” Ellis elaborates. While many security technology solutions can be used, at the end of it all, cybersecurity is fundamentally a human problem. Therefore, humans will play a significant role in protecting the internet.
Some Popular Stories: