DOD’s Hack U.S Challenge success shows value of crowdsourced security

How do you manage thousands of vulnerabilities if you only have a small security team? You get help. Crowdsourced security and bug bounties are giving enterprises an opportunity to leverage the expertise of an army of independent security researchers  and ethical hackers in order to fix vulnerabilities in exchange for money. 

This approach is becoming so effective that even the DOD is getting involved. On Independence Day earlier this year, the Department of Defense (DoD), Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) announced the Hack U.S Challenge.

During the challenge, with the help of HackerOne, the DoD rewarded ethical hackers for reporting High and Critical severity vulnerabilities. The challenge saw 267 ethical hackers participating and generated 349 actionable reports, with the DOD paying out a total of $110,000.

The success of the program highlights that crowdsourced security is an efficient way to discover and remediate lots of vulnerabilities on a cost-effective, scalable basis. 

A new approach to software supply chain security 

The announcement comes as the number of exploits throughout the software supply chain is skyrocketing, with 18,378 vulnerabilities reported in 2021. 

With the US government focusing on securing the supply chain following President Biden’s Executive Order on Improving the Nation’s Cybersecurity, this bug bounty challenge presented an opportunity to test the mettle of crowd-sourced security approaches. 

“This particular challenge was focused on identifying critical and high-rated vulnerabilities on assets in scope for the DoD’s Vulnerability Disclosure Program (VDP). Hackers submitted more than 648 vulnerabilities, with more than half resulting in actionable reports over a mere week timespan,” said HackerOne Co-Founder and CTO, Alex Rice. 

With the level of engagement from researchers and the number of High and Critical vulnerabilities discovered, the initiative can be considered a success.  

“Hack U.S. has proven an innovative use case on how incentivised hackers can productively contribute to our national security, but the model isn’t unique to the government. Everyone with a mission to protect user data should implement a VDP and, when the time is right, explore introducing incentives to reduce risk even further. The hacker community stands ready to help,” Rice said. 

A look at the wider landscape of bug bounties and crowdsource security 

The crowdsourced security movement is picking up steam rapidly, with the global Bug Bounty market valued at $223.1 million in 2020 and anticipated to reach $5.4 billion by 2027. 

HackerOne is one of the main providers in the bug bounty movement, with a platform that provides enterprises with access to a crowd of ethical hackers who can look for vulnerabilities in their systems and assess their security posture against OWASP and NIST industry standards. 

HackerOne has raised almost $160 million in total funding to date. 

Another key vendor in the space is BugCrowd. BugCrowd connects enterprises with security researchers so they can discover vulnerabilities and prioritize them. BugCrowd most recently announced raising $30 million as part of a Series D funding round in 2020, bringing its total funding raised to $80 million. 

Other significant alternatives in the space include Intigriti, a bug bounty and agile penetration testing platform, which raised €21 million ($20 million) as part of a Series B funding round earlier this year. 

HackerOne’s partnership with the DOD is helping differentiate it from other providers by highlighting the skills of the ethical hacker’s on it’s platform (who were invited to participate in the challenge).