DoD Bug Bounty Program–A Formative Approach for Security Audits?

Spider on a red backgroundThe U.S. Department of Defense (DoD) has launched “Hack the Pentagon” as a pilot bug bounty program. This is a first-ever federal government-initiated cybersecurity bug bounty program that is designed to identify and resolve security vulnerabilities in the Pentagon’s public facing websites. The DoD has partnered with HackerOne to invite hackers to register and submit to a background check in order to participate. The participants could be eligible for individual bounty payments that will come from the $150,000 in funding for the program.

Both commercial sector and government organizations face many challenges with managing an effective application security program. That said, the Pentagon’s pilot bug program raises the question of whether or not the vulnerability rewards are a reliable concept for Federal government agencies to protect their online properties, assets, and information.

Whether or not the Pentagon’s website security will improve with the bug bounty program, there is a limited understanding of these initiatives and the risks involved with these type of cybersecurity programs.

So, what are Bug Bounty Programs?

A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards white hat hackers for discovering software bugs, often paying a monetary reward for reporting exploitable vulnerabilities.

In 1995, Netscape was the first to begin offering bug bounties. Since then, the likes of Google, Facebook and Microsoft have developed active bug bounty programs that reward white hat hackers for reporting vulnerabilities. Google’s reward program offers qualifying bugs ranging from $100 to $20,000. Facebook’s bug bounty program pays a minimum of $500, while Microsoft offers up to a $100,000 reward for discovering critical vulnerabilities.

With increased popularity of these types of programs, a number of bug bounty as-a-service companies similar to HackerOne have launched. Companies like Bugcrowd and Synack also provide dedicated platforms for managing bug bounty programs for third party customers. These crowdsourcing vendors provide a platform for the hackers to register and report security flaws to get rewarded for exploitable vulnerabilities.

What are the risks involved with Bug Bounty Programs?

As the acceptance of bug bounty programs have grown over the last few years, so have the risks of involving public hackers to identify security flaws for a monetary reward. The organizations must be considerate of inherent risks with bug bounties while not overlooking internal code reviews and penetration testing as an essential part of the Security Development Lifecycle (SDL) process and vulnerability management strategy.

Although large tech companies have been effectively running their own bug bounty programs, most small and mid-sized organizations do not have adequate security expertise to commit time and resources to handle zero-day vulnerabilities. Furthermore, the risk appetite will vary for each organization based on their financial, compliance and contractual agreements. Besides, refusal to pay bug bounties can have serious consequences if the hackers exploit the vulnerability rather than reporting it to be fixed, or to simply seek negative media attention as was the case in the FireEye/Hermansen standoff.

Likewise, the recent instance of Instagram Hack Reveals the Risks of Bug Bounty Programs with the exposure of sensitive data that Facebook considered outside the guidelines of discovering and reporting technical security vulnerabilities.

Bug Bounty Programs cannot replace traditional security testing

In my previous blog, the Most Common Secure Software Development Mistakes begin with a lack of security audit using OWASP Top 10 and SANS Top 25 attacks to perform vulnerability assessment and professional penetration testing to remediate business logic flaws. Additionally, improved Secure Software Development Life Cycle (SSDLC) processes are established to avoid expensive approaches to uncover security bugs after the code is released into the public domain.

In spite of growth in bug bounties, these programs cannot be considered alternatives to the more traditional security testing and secure coding practices. Even the companies running bug bounty programs have well-established software assurance processes for security testing. Plus, these programs are not a viable option for testing applications with private and sensitive information. Moreover, today’s penetration testing services provide added trust and liability to protect customers’ financial and compliance interests, and requirements.

While bug bounty programs could feasibly improve web security for some organizations, the essentials of security testing and monitoring cannot be replaced, including developer training, source code reviews, QA testing and internal and third-party penetration testing.

For those interested, the “Hack the Pentagon” Bug Bounty Program ends May 12, 2016. Registration closed on April 22, 2016

Learn More about Penetration Testing and Ethical Hacking

Gain realistic insight into potential security gaps within your organizations’ networks, IoT devices, web and mobile applications. 

Download our White Paper today: “Pentesting — The Required Human Ingenuity to Uncover Security Gaps

comments powered by Disqus
× Spirent.com uses cookies to enhance and streamline your experience. By continuing to browse our site, you are agreeing to the use of cookies.