Pentagon website flaws digged out in "bug bounty" program
Xinhua, June 18, 2016 Adjust font size:
Hackers invited by the Pentagon to breach its websites as part of a pilot cybersecurity program have succeeded in digging out at least 138 security vulnerabilities, U.S. Defense Secretary Ash Carter said Friday.
The "Hack the Pentagon" program, the first U.S.-government-funded "bug bounty" initiative designed to test and find vulnerabilities in the department's websites, attracted more than 1,400 hackers, including students.
"No federal agency had ever offered a bug bounty," Carter told an event at the Pentagon. "Through this pilot, we found a cost-effective way to supplement and support what our dedicated people do every day."
The entire cost of the program, which ran from April 18 to May 12, was 150,000 U.S. dollars. In contrast, hiring a private firm to conduct a similar security test could have cost more than 1 million dollars.
The challenge was conducted against five Pentagon websites, including defense.gov, but none of the department's critical networks were part of the competition.
Participants are required to be U.S. citizens and go through background checks before being accepted into the program.
Overall, more than 250 participants submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be "legitimate, unique and eligible for a bounty," Carter said.
A statement from the Pentagon said it paid half of the program's money -- 75,000 dollars -- to the successful hackers, in amounts ranging from 100 dollars to 15,000 dollars.
Based on its success, Carter said his department is working to expand the bug bounty program to include more computer systems and networks. Endi