![]() In total, 1,400 eligible ethical hackers – otherwise known as "white hats" – were invited to take part in the program, and more than 250 of them found and submitted at least one vulnerability. The Pentagon runs roughly 450 of these websites. Instead, these are programs to sweep up the admittedly low-hanging fruit – such as where to go rent canoes as part of a military recreation website – that offer all too enticing opportunities for “embarrassment through defacement,” as defense officials put it. These public bug bounty programs do not throw open the Pentagon’s flood gates to let hackers poke around its Secret Internet Protocol Router Network, or SIPRNet, or even the sensitive-but-unclassified Non-Secure Internet Protocol Router Network, or NIPRNet. The DOD paid $5 million over three years to one vendor, which found less than 10 vulnerabilities. “It’s not a small sum but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us over $1 million,” said Defense Secretary Ash Carter. ![]() ![]() “The prestige of being part of the very first program for the US government is also commodity in and of itself.”Īnd that saves the Pentagon money – the bug bounty pilot program cost $150,000. This is a historic program,” Kate Moussouris, currently an independent security consultant and former chief policy officer at HackerOne, told reporters in April. “A lot of hackers, like myself, will choose to help – and not just for the money, but for recognition. "This may sound cheesy, but it's a way to serve my country from the comfort of my computer.”ĭefense officials are counting on this kind of patriotic spirit, and the cache of getting to hack, well, the Pentagon. "Now, it’s raised the barrier to hacking into the Pentagon, which is absolutely an amazing thing," he says. While these sorts of vulnerabilities are “shockingly common overall," the fact that they existed until recently on DOD websites was striking to Dworken. "They were the standard web security vulnerabilities that are on pretty much any website unless they have a really good web security team – or a bug bounty," he said. So he quickly got to work, reporting “four or five vulnerabilities within the first 12 hours of it opening," then got back to his studies. His Advanced Placement exams were happening at the same time. They wanted him to participate. "I was shocked, and unbelievably excited," he said. Not long after learning about the program, he received an email from HackerOne, which was running the Pentagon’s bug bounty. It didn't take long for Dworken to set off on his most intriguing challenge to date: Hacking the Pentagon. "We always listen to NPR in the car,” he says. Then, as he was getting a lift to school with his dad one morning, he heard about a bug bounty on National Public Radio. ![]() “I do this because I think it's the right thing to do, but I really started to get to the point where I made a good chunk of change.” "The fact that software engineers at Netflix are making sure that's fixed is incredibly satisfying."Īs he got more experience, he moved on to companies such as Uber, where he's earned $8,000 finding four bugs, "which is amazing,” Dworken says. I could send it to you and if you were signed into Netflix, I could steal your account information,” he says. On the Netflix website, for instance, Dworken found that he could create a URL "that could display and do whatever I wanted. Dworken signed up for an account with HackerOne, a firm that runs bug bounty programs, and gravitated toward companies that offer "Hall of Fame” listings on their websites in lieu of cash for finding bugs. “I thought it was pretty awesome that you could get free T-shirts in the mail.”Ĭan a Democrat win over rural Ohio? Tim Ryan gives it a shot. "I probably spent about 20 hours on one because I thought they had a really cool t-shirt," he says. The chance to hack the feds drew a wide variety of comers, including David Dworken, 18, who has been a fan of bug bounty programs since middle school. Just six hours later, hackers had already uncovered nearly 200 vulnerabilities in the Department of Defense’s networks.Īlready a staple for companies such as Google and Facebook, the bug bounty program – which pays friendly hackers to do the sorts of things that recreational hackers might do for fun, and that criminals like to do for far more nefarious purposes – was so successful that Pentagon officials say that they are considering another bug bounty program for later this year. Other federal agencies, they add, would do well to follow their lead. Within 13 minutes of urging hackers to take their best shot at the Pentagon’s public websites, the US government’s first-ever bug bounty program had its first submission. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |