Hacker-Powered pen tests at the U.S. Federal Government

Jun 6 2018
luke

When looking for a model to inform your own security posture, the Department of Defense would be a good place to look. Not only were they the first branch of the U.S. Federal Government to use white-hat hackers back in 2016, they’ve been using hacker-powered security in new and interesting ways ever since. They’ve also blazed a trail for other public organizations.

For those in the private sector, however, the DoD has also shown how bug bounty challenges can replace typical penetration tests and provide an easy onramp for using hacker-powered security. Here’s just a sample of what the DoD has accomplished in two short years:

  • Hack the Pentagon, a month-long bug bounty program in April 2016 aimed at the DoD’s public websites. The program saw hundreds incoming bug reports, with nearly 150 being eligible for bounties totaling $75,000.

  • Hack the Army moved to targeting the DoD’s operationally significant websites. In under a month, hackers filed more than 400 bug reports and were paid $100,000 in total bounties.

  • Hack the Air Force further expanded their scope to include online services. In just 24 days, hackers found over 200 vulnerabilities and earned $130,000 in bounties.

  • Hack the Air Force 2.0 went even further, kicking off with a live-hacking event with Airmen and hackers side-by-side, working to secure Air Force assets. Over 100 vulnerabilities were reported and fixed, with $103,000 in bounties paid out during the 20-day challenge. Watch the action unfold at the NYC h1-212 live-hacking event.

  • Hack the DTS put hackers to work on the Defense Travel System, which is comprised of 9,500 global websites and relied on by millions of employees. In under a month, hackers helped identify over 100 potential security vulnerabilities, earning $80,000.

The DoD’s approach to hacker-powered security is a model every organization, public or private, can learn from. If you’d like to read more about how the DoD started their programs and how they used HackerOne Challenges as a supplement to traditional pen tests, download the report: “Defending the Federal Government from Cyber Attacks”.

Related Posts