At the Bug Bounty lightning talks event in San Francisco on February 13, Katie Moussouris and Lisa Wiswell discussed the Hack the Pentagon initiative and the future of bug bounty programs in the US government.
At the event, hosted by Passcode and Uber, Wiswell—the woman behind Hack the Pentagon, and employee of the US Department of Defense’s Defense Digital Service—explained that there was an understandable amount of nervousness inside the Pentagon when the bug bounty cybersecurity program was launched in collaboration with HackerOne. They did, however, understand that bug bounty programs are a “successful security mechanism.”
The first bug bounty program in the history of the federal government unsurprisingly rattled the DoD as its entire existence is based on defense, Wiswell explained. “Historically, we’ve focused a lot on compliance and have sacrificed real security in doing so.”
Despite the early concerns, she described the pilot as a “tremendous success.”
Moussouris, CEO at Luta Security, helped the Department of Defense launch Hack the Pentagon after convincing Microsoft to launch its first bug bounty program in 2013. She added that it is essential to have the right resources to be able to fix the bugs that are found in a program like that. “If you launch a bug bounty program, you have to be ready for the flood of hacker love. If you don’t have the right resources to fix bugs, don’t do a bug bounty program,” she cautioned.
Moussouris explained that what motivated hackers to get involved with Hack the Pentagon was novelty. “There was a great amount of patriotic motivation too,” said Wiswell, adding that hackers have continued to support and be loyal to the program.
When questioned about whether bug bounty programs will continue under the Trump Administration, Moussouris was confident that the undisputed success of the programs to date would ensure continued investment in programs in the future. “The fact that the first bug bounty program run by the US government was the Department of Defense is significant. If they’re willing to enlist the help of hackers, that sends a great message to the rest of the US government and governments around the world.”
Wiswell was equally confident about the continuation of the program under the Trump Administration. “Bug bounty programs are here to stay [in the Department of Defense]. It’s a proven concept and gets great bang for the buck. It’s important to find low cost ways to do security and be more secure,” she said.
Hack the Pentagon was so successful that Wiswell admitted that she now spends a huge amount of her time consulting to other departments in the US government on how to implement and run successful bug bounty programs. Moussouris experienced a similar ‘consultancy’ phase for different departments at Microsoft after rolling out the first program.