DoD announces launch of a new bug bounty program

Today, the Department of Defense (DoD) announced that the Chief Digital and Artificial Intelligence Office (CDAO), the Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) are launching the “Hack U.S” bug bounty program.

The program will offer financial rewards for ethical hackers and security researchers who can identify critical and high severity vulnerabilities in the scope of the DoD’s vulnerability disclosure program. 

To encourage researchers to participate, the DoD will offer a total of $110,000 for vulnerability disclosures. Payouts range between $1,000 for critical severity reports, $500 for high severity reports, and $3,000 for those in additional special categories. 

The DoD’s decision to launch a bug bounty not only comes as the DoD and HackerOne, have concluded a 12-month pilot as part of the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), but as more organizations are recognizing the attack surface has expanded to the point where security teams simply can’t keep up. 

Why bug bounties are picking up momentum 

One of the key driving forces behind the growing interest in bug bounties is the high number of vulnerabilities present in modern enterprise environments. 

Research suggests that the average organization has roughly 31,066 security vulnerabilities in its attack surface, a number that a small internal security team can’t mitigate alone, even if they have access to the latest vulnerability management or attack surface management tools.

Given the high number of vulnerabilities, it’s no surprise that 44% of organizations report that they lack confidence in their ability to address the risks introduced by the attack resistance gap. 

Bug bounties provide an answer to this challenge, by providing security teams with access to support from an army of security researchers who can help provide support by identifying vulnerabilities, and recommending fixes. 

“It takes an army of adversaries to outsmart an army of allies, and many organizations are tapping into the community of millions of good-faith hackers around the world who are skilled, ready, and willing to help,” said Founder and CTO at Bugcrowd, Casey Ellis. 

“The good folks at DoD DC3 have been running a vulnerability disclosure program for many years with great diligence and success, so to see them “upgrade” this to a paid bug bounty program makes a lot of sense,” Ellis said. 

Of course the DoD isn’t alone in embracing crowdsourced cybersecurity, with  organizations like Microsoft, Google, Apple, Meta, and Samsung all experimenting with their own vulnerability bug bounty programs, to ensure the security of their systems and end products. 

The bug bounty movement 

According to researchers, the global bug bounty market is in a state of growth, valued at $223.1 million in 2020, and is expected to reach $5,465.5 million by 2027.

In the last 12 months alone, the bug bounty market has enjoyed significant investment activity, with   bug bounty organizations like HackerOne reportedly raising $49 million in funding, Belgian-based Intigriti raised $23 million as part of a series B round, and the Web3 bug bounty platform Immunefi raising $5.5 million in seed funding. 

At the same time, other providers have also launched new crowd research initiatives, such as 1Password, which announced the launch of a $1 million bug bounty that as of April paid out $103,000 to researchers. 

These solutions are capturing investor interest because “Effective bug bounty programs limit the impact of serious security vulnerabilities that could have easily left an organization’s customer base at-risk,” said Fellow at Synopsys Software Integrity Group, Ray Kelly. 

“Payouts for bug reports can sometimes exceed six figure sums, which may sound like a lot. However, the cost for an organization to remediate and recover from a zero-day vulnerability could total millions of dollars in lost revenue,” Kelly said. 

On the other side of the fence, even notorious cyber gangs like LockBit are experimenting with bug bounties, asking researchers and hackers to submit PII on high-profile individuals and web exploits in exchange for remuneration of up to $1 million. 

The Bug Bounty Market: Top players and key differentiators 

At this stage in the market’s growth, one of the leading providers is HackerOne, HackerOne, who are not only building a close relationship with the DoD but has also raised $160 million in total funding to date, and maintains a community of over 1,000,000 ethical hackers who have resolved over 294,000 to date.  

HackerOne provides a bug bounty platform that organizations can use to create an inventory of cloud, web, and API assets, which other researchers can then test to see if there are any vulnerabilities. 

One of HackerOne’s main competitors in the market is Bugcrowd, a pioneer of the industry, which has itself raised $80 million in funding, and offers a platform that can automatically identify vulnerabilities in an organization’s attack surface.

After detecting vulnerabilities, the platform can then connect enterprises with researchers and security engineers to investigate and report their findings into the vulnerability directly into existing DevOps and security workflows. 

Other providers in the market include European bug-bounty provider Intigriti, which offers a platform of over 50,000 researchers and has paid out over $5 million in bounties to date. 

At this stage, the main differentiator between these providers is not only the size of the pool of researchers they offer access to, but the means by which they connect enterprises to the right researchers to secure their environments.