Hackers screened for their good intentions found 138 “vulnerabilities” in the Defense Department’s cyber defenses in a “bug bounty” awards program that will end up saving the Pentagon money, Defense Secretary Ashton Carter said Friday.
Under the “Hack The Pentagon” program, the first ever conducted by the federal government, more than 1,400 “white hat” hackers were vetted and invited to challenge the Pentagon’s defenses to compete for cash awards.
Of the 1,400 who entered, about 250 submitted reports on vulnerability and 138 of those “were determined to be legitimate, unique and eligible for bounty,” Carter said at a Pentagon news conference.
The lessons learned from the “Hack The Pentagon” challenge, an initiative of the Defense Digital Services started by Carter, came at a fraction of the cost of bringing in an outside firm to conduct an audit of the Pentagon’s cyber-security, he said.
The awards going out total $150,000 while a full-blown cyber audit would have cost at least $1 million, he said. In addition, “we’ve fixed all those vulnerabilities,” Carter said.
No federal agency had ever offered a bug bounty, he noted.
“Through this pilot we found a cost-effective way to supplement and support what our dedicated people do every day,” Carter said.
“It’s lot better than either hiring somebody to do that for you or finding out the hard way,” he said. “What we didn’t fully appreciate before this pilot was how many white-hat hackers there are.”
Carter said the Pentagon had plans to encourage defense contractors to submit their programs and products for independent security reviews and bug bounty programs before they deliver them to the government.