Government leads the way in crowdsourced security

 

Connecting state and local government leaders

The adoption of bug-bounty programs in government has increased 125 percent increase year over year, according to a new report.

To strengthen the defenses and resilience of IT systems, organizations increasingly are turning to ethical hackers and running bug bounty programs that offer rewards for uncovered vulnerabilities.

While security researchers can earn big payouts from the likes of Google, Microsoft and other tech companies, they've also identified plenty of issues with public-sector websites, and government officials have seen the value of cybersecurity testing that pays only for results.

Government use of bug-bounty programs has increased at a year-over-year rate of  125, according to a new report from HackerOne, the company that runs the platform for hosting bug bounty competitions.  That makes government the leading industry sector for adoption of crowdsourced security.

The U.S. government's first major bug bounty program, Hack the Pentagon, was announced by the Defense Digital Service in April 2016, and offered vetted ethical hackers bounties for identifying and resolving security vulnerabilities in five of Defense Department's  public-facing websites.  For that initial challenge, more than 1,400 hackers signed up, and the first bug was reported just 13 minutes after the contest began. In all, 138 legitimate and unique vulnerabilities were found, and $75,000 in total bounty rewards were paid out.

Since then, DOD has run four more bug bounty challenges: Hack the Army, Hack the Air Force, Hack the Air Force 2.0, and Hack the Defense Travel System. To date, 5,000 vulnerabilities have been received in U.S. government systems and, according to a May 16 tweet from the Defense Digital Service, security researchers have earned over $400,000.

The program has expanded beyond the Pentagon.  The General Service Administration's 18F launched a bug bounty program for the Technology Transformation Service, covering vulnerabilities found in Federalist, data.gov, cloud.gov, login.gov and a handful of other websites.  Legislation has been proposed for similar programs for the Department of Homeland Security and the State Department as well as a bug-bounty program for finding vulnerabilities in election systems.

HackerOne's 2018 Hacker-Powered Security Report examined data from 78,275 security vulnerability reports collected over 1,000 bug bounty and vulnerability disclosure programs it runs around the world.

Across 11 industry sectors, the top two frequently identified vulnerabilities are related to cross-site scripting and information disclosure. For government programs, cryptographic issues tie for second.  Other top issues found in government systems include violations of secure design principles, open redirect problems and SQL injection.

And while finding vulnerabilities is important, resolving them quickly is imperative.  The fastest report-to-resolution is under 20 days for the consumer goods, financial services and health care industries.  The government sector takes 68 days from identification to resolution, though it pays bounties relatively quickly, in 18 days, even before issues are resolved.

In spite of success seen by government and tech industries, the vast majority of the 2017 Forbes Global 2000 companies do not have a policy for third-party vulnerability disclosures, HackerOne said, making security researchers sometimes reluctant to disclose vulnerabilities for fear of prosecution. 

At a February hearing of a Senate panel on data security and bug-bounty programs, HackerOne CEO Marten Mickos called for reforms to the Computer Fraud and Abuse Act, which criminalizes unauthorized computer access without making specific allowances for some security research activities.

"Individuals that act in good faith to identify and report potential vulnerabilities should not be legally exposed," said Mickos, who criticized the CFAA for having "vague wording that has not kept pace with the proliferation of the internet."

Both DOD and GSA have developed such vulnerability disclosure policies, and the Department of Justice issued a framework in July 2017 to help agencies design their own policies.  

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.