The United States government doesn't get along with hackers. That's just how it is. Hacking protected systems, even to reveal their weaknesses, is illegal under the Computer Fraud and Abuse Act, and the Department of Justice has repeatedly made it clear that it will enforce the law. In the last 18 months, though, a new Department of Defense project called "Hack the Pentagon" has offered real glimmers of hope that these prejudices could change.

The government's longstanding defensive posture makes some sense in theory—it has important secrets to keep—but in practice security experts have long criticized the stance as a fundamental misunderstanding of how cybersecurity works. The inability of researchers and concerned citizens to disclose vulnerabilities they find inevitably makes the government (or any institution) less secure. So in the wake of numerous government agency breaches, including the devastating Office of Personnel Management hack, DoD's Defense Digital Services group, the Office of the Secretary of Defense Cyber Policy group, and then-Defense Secretary Ash Carter saw a possible opportunity to spur change by introducing the DoD to bug bounties—programs that offer cash rewards to independent hackers who find and disclose software bugs.

"DoD has a framework of doing penetration testing and doing their own vulnerability assessment, but this is in the constraints of federal government," says Michael Chung, the Product and Technology Lead at Defense Digital Services. "So our gut feeling was that bringing in private sector practices would show that there were more vulnerabilities that hadn't been found."'

Hack the Feds

With the help of bug bounty facilitator firm HackerOne and after coordinating with the Department of Justice, DDS kicked off the pilot Hack the Pentagon bug bounty on April 16, 2016. Over a 24-day period, dozens of pre-selected security researchers hunted down vulnerabilities in certain public-facing DoD websites, in what was the first federal bug bounty ever run at a federal agency. The department ended up resolving more than 138 unique vulnerabilities, and paid tens of thousands of dollars to 58 hackers. One made a total of $15,000 by reporting multiple bugs.

"What HackerOne and the Pentagon have done seems like a feat of wizardry," says Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group, and a contributor to the first Hack the Pentagon bug bounty (but chose not to be eligible for rewards). "Up until very recently, the government’s way of keeping people in the US from hacking them was to basically threaten that black helicopters would show up over your house if you tried. Then one day I’m stuck at the airport and I’m brute-forcing various Pentagon hosts with no fear of repercussions. It’s pretty cool."

'Up until very recently, the government’s way of keeping people in the US from hacking them was to basically threaten that black helicopters would show up over your house if you tried.' Dan Tentler, Phobos Group

To follow up on the success of Hack the Pentagon, DoD launched another bounty, Hack the Army, last November, to assess public-facing websites related to Army enrollment. That program included hundreds of hackers who found more than 100 unique bugs, and received about $100,000 in total payouts.

After Hack the Pentagon, DoD had noticed that with limited-time bounties, bugs still trickled in days and weeks after the open call concluded. So the feds announced an open-ended Vulnerabilities Disclosure Policy that didn't offer rewards, but would legally allow people to submit bugs any time related to public-facing websites and web applications owned by DoD.

In the year since, about 650 people have submitted almost 3,000 unique, valid vulnerabilities. A year ago, they would have been breaking the law.

"The VDP has just really taken off and started providing value in a way that I don’t think anyone was anticipating when we first launched it," says Alex Rice, CTO of HackerOne. "It was some learning. DoD realized that...if someone was still working on something there was no legal channel for them to get it to the government."

Hack the Air Force came next, at the end of May, awarding more than $130,000 for 207 unique vulnerabilities. Through the bounties and VDP, DoD has found out about and fixed thousands of vulnerabilities in its systems so far, along with more than a hundred highly critical flaws. These have included vulnerabilities that allow remote code execution, SQL code injection bugs on various websites, and methods for bypassing authentication protections.