Why More Government Agencies Need Bug Bounty and Vulnerability Disclosure Programs

If you’re reading this article, statistically speaking your organization might be getting hacked. Data breaches of U.S. government networks, once novel, have become pervasive over the past year. Take it from the Office of Personnel Management (OPM) or the IRS – no one is safe anymore. In private sector, the Equifax hack and Intel’s processor vulnerabilities have hit mainstream media by storm. The question needs to be asked: are we doing enough to protect our nation’s assets against malicious attacks?

If we look at the current state of the union, the precedent that the Pentagon set with “Hack the Pentagon”, has proven to be successful. I’ve had multiple conversations with different  government agencies on how the Pentagon ran their bug bounties and the lessons learned from them. Most government organizations are relying on pen testers, contractors, and scanners to find weakness and vulnerabilities that would leave them open to cyber attacks. More agencies should be proactive in replicating what the Pentagon and major tech companies in Silicon Valley have been doing for years: running vulnerability disclosure programs and bug bounties by the world’s best hackers and researchers in a controlled white hat environment. There were a lot of lessons learned with Hack the Pentagon and many things I would change with the companies we partnered with, but there is no doubt in my mind that EVERY organization in local, state, and federal governments should be running these programs.

The IT Modernization Plan is a strong plan to overhaul legacy systems. This document is a wakeup call for all federal organizations, from the highest executive level in the federal government to reevaluate how software is being developed, improve DevOps processes and leverage modern technology to improve security. Bug bounties are a necessary part of the formula. Right now, legacy systems are costing the government billions. You can’t ignore the amount of digital information out there – emails, social, texts, etc. You don’t want to see sensitive information get leaked due to a breach or out there for enemy nation states and hackers to exploit.

2018 will be an interesting year. CISOs and CIOs have the daunting task of prioritizing the identification of where their vulnerabilities are and how to fix them…before it’s too late. The risks are there. The goal is to help spread private sector knowledge to federal government at scale. I think there will be a lot of lessons learned over the next few years. We are starting to see legislation pass by congress to enable other federal agencies to build their VDP and bug bounty programs. My hope is to see more agencies adopt similar types of programs and partner with companies like Bugcrowd to support them.

 For additional information, talk to a bug bounty expert today.