Pentagon Is Far Too Tight With Its Security Bug Bounties (theregister.com) 23
Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems doesn't carry a high reward. The Register reports: The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug bounties and another $35,000 in bonuses and awards to ethical hackers who disclosed critical- and high-severity vulnerabilities in Uncle Sam's networks. [...] According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. Information disclosure flaws were the most commonly reported vulnerabilities, followed by improper access controls and SQL injection.
The Pentagon didn't say how many bug hunters received rewards, or how much they each earned. However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *.army.mil. Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize. And Google awarded $8.7 million during 2021. [...] It's also worth noting that the DoD's pilot vulnerability disclosure program, which ended in April, didn't pay any monetary rewards. So at least Hack US, with its paid (albeit measly) bug bounties, is a step up from that. "The most successful bug bounty programs strike an even balance between monetary and social benefits," Google's Eduardo Vela, who leads the Product Security Response Team, told The Register.
"For bug hunters, there must be a monetary incentive to get them to participate -- but, there's also value in creating a space where folks can get together, connect with one another, and hack as a team. Bringing together the top bug hunters requires both -- one without the other is not enough."
The Pentagon didn't say how many bug hunters received rewards, or how much they each earned. However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *.army.mil. Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize. And Google awarded $8.7 million during 2021. [...] It's also worth noting that the DoD's pilot vulnerability disclosure program, which ended in April, didn't pay any monetary rewards. So at least Hack US, with its paid (albeit measly) bug bounties, is a step up from that. "The most successful bug bounty programs strike an even balance between monetary and social benefits," Google's Eduardo Vela, who leads the Product Security Response Team, told The Register.
"For bug hunters, there must be a monetary incentive to get them to participate -- but, there's also value in creating a space where folks can get together, connect with one another, and hack as a team. Bringing together the top bug hunters requires both -- one without the other is not enough."
The Pentagon is far too tight (Score:1)
The very word "secrecy" is repugnant in a free and open society; and we are as a people inherently and historically opposed to secret societies, to secret oaths and to secret proceedings. We decided long ago that the dangers of excessive and unwarranted concealment of pertinent facts far outweighed the dangers which are cited to justify it. Even today, there is little value in opposing the threat of a closed society by imitating its arbitrary restrictions. Even today, there is little value in insuring the s
Re: (Score:3)
So you'll be posting your SS#, driver license number, address, phone number, computer accounts with their password, etc. here on Slashdot. We're breathless with anticipation.
Secrecy (Score:2)
So that's a pretty broad brush you're using to paint society. Show me one example in the entire history of mankind of a society that successfully operated without secrecy, within the parameters you have described. EVER. And then explain how one can magically do so against all the pressures of human nature. What traditions of the U.S. do you expect to survive? Near as I can tell, there is no tradition of a free and open society without secrecy, so it can't be that.
"...we are as a people inherently and histor
Well duh (Score:2)
Government doesn't pay enough in general (Score:3)
Directors and other mucky mucks at all of the TLAs have complained that they don't have enough funding to retain the best. Once they have attained a clearance they suddenly have massively better opportunities in the private sector created by government contract requirements, which in turn are derived from pork projects to prop up states without otherwise viable economies. FBI, CIA, NSA, they have all bemoaned their lack of funding. Meanwhile, the military gets budget allocations they didn't request, where is that money going?
Re: (Score:2)
Meanwhile, the military gets budget allocations they didn't request, where is that money going?
Secret operations around the world to make massive amounts of money and exert toxic financial dominance? Because that seems to be working while yachts ends in embarrassment, failure, and looming regime change.
Re: (Score:2)
Re: (Score:2)
The military pays almost $10 an hour to train soldiers.
The pay's not great, so the total cost isn't all that high. And despite not being that great, that's still less than half what it costs to have an employee making military wages.
Not the only thing they're tight about (Score:3)
When you pay your cybersecurity folks a tad more than half of what the rest of the world does, what do you expect*
And before you ask, yes, this includes (but is definitely not limited to) the NSA
Re: (Score:3)
For bug hunters, there must be a monetary incentive to get them to participate
Funny, I know several countries that would pay very very well for these bugs.
They have no reason to be otherwise (Score:1)
Re: (Score:1)
When penetration testing Pentagon websites and services is not paid sufficiently, the alternative is to test something else instead. That means the bugs will be left to the Chinese/Russians/etc to discover. No treason involved.
Re: (Score:1)
Pay peanuts, get monkeys (Score:4, Insightful)
As the saying goes, you don't make it worthwhile for people to spend time and effort on your site/services, they ain't going to do it. Or you don't get many people doing it.
Some may do it to get some credibility (hey I helped the Pentagon fix stuff, so I can fix your stuff too!), but those who already have the credibility and the skills may not bother.
Re: (Score:1)
Fiscal responsibility (Score:1)