On Friday, Secretary of Defense Ash Carter announced the results of the Hack the Pentagon program, the DoD’s first official bug bounty. Mr. Carter also personally thanked and awarded two of the program’s top researchers, among which was an 18-year-old high school student.
Thewas announced at the start of March 2016, when the Department of Defense (DoD) announced it was starting a bug bounty program via the HackerOne platform.
Over 1,400 security researchers participated
The DoD said that many security experts signed up, and the agency accepted over 1,400 researchers, who were given the green light to hack the DoD’s public facing websites.
The program ran between April 18 and May 12, during which time, the agency says it received at least one bug report from over 250 of the 1,400 security experts.
Of these, the agency validated 138 reports, and the researchers received monetary rewards for their efforts. The DoD says their pilot program cost the state only $150,000, and almost half went to the security researchers themselves.
For comparison, Carter noted that if the DoD had hired a private security firm, the total costs would have been over $1 million.
DoD announces three more bug bounty programs
Following the success of the test pilot program, Pentagon officials are now saying they’re already planning three other bug bounty programs, set to start next month.
Additionally, the DoD DDS (Defense Digital Service) is also working on a vulnerability disclosure process and policy so white hat researchers can report vulnerabilities in the confines of the law.
At the press conference, Secretary of Defense Carter also publicly thanked Craig Arendt, one of the program’s top researchers, and David Dworken, a student at the Maret high school in the Washington, DC, area.
In an interview with US news site Metro, Dworken said he spent most of the time “hacking the Pentagon” between classes. Dworken is not your regular teenager, engaging in similar bug bounty programs in the past.