How Governments are Running Effective Bug Bounty Programs

If you’re reading this article, statistically speaking your organization might be getting hacked. In the private sector, the Equifax hack and Intel’s processor vulnerabilities took the mainstream media by storm. And over the past year, data breaches of U.S. government networks, once novel, have become pervasive. Take it from the Office of Personnel Management (OPM) or the IRS – no one is safe anymore. This begs the question: are we doing enough to protect our nation’s assets against malicious attacks?

If we look at what governments are currently doing for better cybersecurity, the Pentagon stands out for its work with the “Hack the Pentagon” program, which has proven to be successful and repeatable. Today’s news of the Swiss Government establishing a bug bounty program, encouraging good faith hackers to break into the country’s electronic voting system undetected, validates the model is effective — all in an effort to make systems more secure.

We’ve been happy to see bug bounty efforts start to take hold in the governments, both here in the U.S. and abroad. The DoD’s “Hack the Pentagon” program has driven a lot of positive change in this direction and we were excited to have a few members of the team join LevelUp 0x03, the third edition of our virtual hacker conference. 

To begin the day-long, dual track event, we were joined by Khris Johnson, Director of the Department of Defense (DoD) Vulnerability Disclosure Program (VDP), John Repici, contract mission lead for the Department of Defense (DoD) Vulnerability Disclosure Program, and Amit Elazari, Doctor of Science of Law, Director, Global Cybersecurity Policy at Intel. The discussion, “Behind the Curtain: Safe Harbor and DoD” took a look at the history of the DoD’s Vulnerability Disclose Programs and bug bounty efforts, Safe Harbor protections, and how researchers can best work with the DoD. You can see the full presentation below.

Today’s news of Switzerland should serve as an example of the power of this model and I hope it encourages other governments to do the same. I look forward to seeing the success of the program, and how the findings are expanded to ensure other parts of the government are secure. 

If you’d like to learn more about how governments are effectively running crowdsourced security programs, contact us and speak with one of our crowdsourced security experts.

To learn more about bug bounties, check out our Illustrated Guide to Bug Bounties.