The Department of Defense is leveraging the Pentagon’s Digital Service Team to develop a public vulnerability disclosure program that will launch in the next few months, according to Lisa Wiswell, an official from the digital service team.
“The kinds of things that we’re going to put through bug bounties are the kinds of things that we don’t show that much security love to,” Wiswell said.
DoD is developing a process for people to report security vulnerabilities to be shared with citizens, and fixed. Wiswell said the program will enable the DoD to focus its attention on areas where security problems aren’t immediately apparent.
Wiswell said the idea spurred from a cultural change within the DoD after the success of Hack the Pentagon. The first government-sponsored bug bounty program in April and May of 2016 recruited 1,400 hackers from the United States who were tasked with searching for vulnerabilities in the DoD’s network. The hackers submitted 250 reports, and 138 of those reports were serious vulnerabilities that needed to be fixed.
“It’s changed in the department really how we view hackers,” Wiswell said. “Folks were really respectful of the legal terms.”
During Hack the Pentagon, DoD officials placed restrictions on the hackers to ensure that none of the vulnerabilities would be exposed, such as only allowing hackers from the United States.
“Hack the Pentagon has been a pretty staggering success,” said Matt Cutts, an official from the U.S. Digital Service Team and former head of the webspam team at Google.
Cutts said that during his time working for the Federal government he has noticed that people from both parties want the government to work more smoothly no matter who’s in office. The public vulnerability disclosure program could help accomplish this by patching systems faster as problems arise.
“People want the government they do have to work better,” Cutts said. “By starting with small projects we can build up some trust.”