Today we celebrate cyber defense. The U.S. Department of Defense’s Defense Digital Service (DDS) announced expansion of the Hack the Pentagon crowdsourced security program and partnership with HackerOne. HackerOne is one of three vendors to be awarded a contract as part of the Hack the Pentagon expansion to run private assessments against sensitive, internal systems.This is in addition to HackerOne’s existing contract for public facing assets. As we applaud the DoD’s continued effort to help drive security innovation, let us also revisit how far we’ve come together and what lies ahead.
Hack the Pentagon in 2016 was the first ever federal bug bounty program pioneered by the U.S. Department of Defense’s Defense Digital Service (DDS) with HackerOne. In the past two years, more than 5,000 valid vulnerabilities have been reported in government systems through HackerOne, 2,000 in the past year alone. This is just the beginning.
We’ve Come A Long Way
The first Hack the Pentagon bug bounty challenge was only open to U.S. citizens. The first submission was reported within 13 minutes of the program launch. By the end of the month, over 130 valid bugs were resolved in Pentagon’s systems and tens of thousands of dollars paid to ethical hackers for their efforts. Since the first pilot, we have worked with DDS to launch programs with the Army, Air Force twice, Defense Travel System, and most recently the Marine Corps, in addition to the DoD’s ongoing vulnerability disclosure program (VDP). The VDP was established as an open channel for anyone in the world to report security vulnerabilities to the DoD should they find one. Even without offering monetary rewards, we’ve seen over 700 hackers participate. The hacker community is hungry to help, even if that doesn’t mean bounty payouts.
Hack the Pentagon programs with HackerOne have paid out over $500,000 to hackers for helping safeguard critical services and data across a range of DoD websites and applications. Following Hack the Pentagon, Hack the Army in December 2016 surfaced over 115 valid vulnerabilities and paid $100,000. Hack the Air Force in April 2017 bug bounty challenge resulted in over 200 valid reports and hackers earned more than $130,000 for their contributions. Hack the Air Force 2.0 in December 2017 resulted in over 100 valid vulnerabilities surfaced and more than $100,000 paid to hackers. Hack the Defense Travel System in April 2018 resulted in 100 security vulnerabilities reported and $80,000 paid to hackers. The latest federal bug bounty challenge, Hack the Marine Corps surfaced nearly 150 unique valid vulnerabilities and were awarded over $150,000 for their contributions.
HackerOne helped launch Hack the Air Force 2.0 and Hack the Marine Corps at live hacking events in New York City and Las Vegas respectively. For the first time, the federal government worked shoulder to shoulder with crowdsourced ethical hackers as they simulated live attacks on government assets in the spirit of collaboration and in an effort to boost security. The DoD has awarded over $100,000 at live hacking events to hackers that have helped them harden attack surfaces and secure sensitive assets. NBC Nightly News covered Hack the Marine Corps’ live hacking kickoff event, sharing with the masses how hackers are protecting government assets and U.S. citizens.
With every iteration, government programs are becoming more open, more inclusive, more diverse. The DoD even allowed a non-NATO country (Sweden) to participate. With each program, hackers provide new perspectives and value to the agencies. During Hack the Air Force 2.0, hackers were able to leverage a vulnerability in an Air Force website to pivot onto the U.S. Department of Defense’s (DoD’s) unclassified network — something better found by friendly hackers than adversaries. Now with six DoD bug bounty challenges and two live hacking events with military organizations under our belt, we’re standing ready to serve as the DoD’s most experienced crowdsourced cybersecurity resource.
Momentum Is Building
Since HackerOne was founded in 2012, we have built the largest hacker community, over 250,000 strong, and the largest collection of programs for hackers to test — over 1,200 programs with organizations including General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the Singapore Ministry of Defence, European Commission, and more. Together, hackers have helped our customers resolve over 83,000 valid vulnerabilities, earning over $38 million for their contributions. We are forever grateful to the hacker community for their dedication, skill and willingness to help make the internet a safer place. Without hackers, none of this is possible.
Government organizations like the GSA have launched programs with HackerOne, a contact that was also just extended last month. Other federal organizations like the Department of Justice, Food and Drug Administration (FDA), and National Highway Traffic Safety Administration (NHTSA) have recommended vulnerability disclosure programs as a cybersecurity best practice. Hack the DHS and Hack Your State Department are two recent bills approved by the House of Representatives. The DoD pioneered an important change for security, and every industry has been following suit.
There is an army over over 250,000 hackers ready and willing to help. Soon we will have more than a million hackers in our community. The best is yet to come. This community of hackers is the best defense we have against the biggest risk of our times — the risk of cyber breach.