Critical, mission-facing computer systems not be involved in the program

In what government officials called the “first bug bounty in the history of the federal government,” hackers invited by the US government as part of a pilot program to find flaws with five Pentagon websites discovered 138 security vulnerabilities, Defense Secretary Ash Carter said Friday.

The program was designed to “identify and resolve security vulnerabilities within Defense Department websites through crowdsourcing.”  

The Departmnet of Defense partnered with HackerOne, a reputable bug-bounty-as-a-service firm based out of California’s Silicon Valley to run the Hack the Pentagon pilot program.

The program ran between April 18 and May 12 and had $150,000 in funding, with individual bounty payments dependent on a number of factors.

Participants in the bug bounty were required to register and submit to a background check prior to any involvement with the pilot program.  Once vetted, these hackers participated in a “controlled, limited duration program” that allowed them to identify vulnerabilities on a “predetermined department system.” 

“I am always challenging our people to think outside the five-sided box that is the Pentagon,” said Secretary of Defense Ash Carter back in March at the onset of the program.

“Inviting responsible hackers to test our cybersecurity certainly meets that test.  I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” he added.

Craig Arendt and David Dworken received special recognition for their work in the program. Arendt, a computer security researcher, helped DoD identify a number of vulnerabilities, said Carter.

Dworken, an 18-year-old, recent high school graduate from the Washington, D.C., area, also submitted several vulnerabilities during the competition.

“We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks,” said Secretary Carter. “What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference – hackers who want to help keep our people and nation safer.”

More than 1,400 eligible hackers completed the registration and were invited to participate in Hack the Pentagon and more than 250 submitted at least one vulnerability report. Of all the submissions DoD received, 138 were determined to be legitimate, unique and eligible for a bounty.

According to the high school hacker, David Dworken, the competition was a unique opportunity to help the Department of Defense. 

“It was a great experience,” said Dworken who has participated in similar competitions. “I just started doing more and more of these bug bounty programs and found it rewarding. Both the monetary part of it and doing something that is good and beneficial to protect data online in general.”