U.S. DoD’s Hack Challenge shows the value of crowdsourced security

How do you manage thousands of vulnerabilities if you only have a small security team? You get help. Crowdsourced security and bug bounties are giving enterprises an opportunity to leverage the expertise of an army of independent security researchers and ethical hackers in order to fix vulnerabilities in exchange for money. 

This approach is becoming so effective that even the Department of Defense (DoD) is getting involved. On Independence Day earlier this year, the DoD, Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) announced the Hack U.S. Challenge.

During the challenge, with the help of HackerOne, the DoD rewarded ethical hackers for reporting vulnerabilities that were of high and critical severity. The challenge had 267 ethical hacker participants and generated 349 actionable reports. In total, the DoD paid out $110,000.

The program’s success highlights that crowdsourced security is an efficient way to discover and remediate countless vulnerabilities on a cost-effective, scalable basis. 

A new approach to software supply chain security 

The announcement comes as the number of exploits throughout the software supply chain is skyrocketing, with 18,378 vulnerabilities reported in 2021 alone. 

The U.S. government is focused on securing the supply chain following President Biden’s executive order from May of this year for improving the nation’s cybersecurity. This bug bounty challenge presented an opportunity to test the mettle of crowdsourced security approaches. 

“This particular challenge was focused on identifying critical and high-rated vulnerabilities on assets in scope for the DoD’s Vulnerability Disclosure Program (VDP). Hackers submitted more than 648 vulnerabilities, with more than half resulting in actionable reports over a mere week timespan,” said Alex Rice, HackerOne’s cofounder and CTO. 

The level of engagement and the number of important vulnerabilities that were discovered made the initiative a success.  

“Hack U.S. has proven an innovative use case on how incentivized hackers can productively contribute to our national security, but the model isn’t unique to the government,” Rice said.  “Everyone with a mission to protect user data should implement a VDP and, when the time is right, explore introducing incentives to reduce risk even further. The hacker community stands ready to help.”

A look at the wider landscape of bug bounties and crowdsource security 

The crowdsourced security movement is picking up steam rapidly, with the global Bug Bounty market valued at $223.1 million in 2020 and anticipated to reach $5.4 billion by 2027. 

HackerOne is one of the primary providers in the bug bounty movement. Its platform provides enterprises with access to a crowd of ethical hackers who can look for vulnerabilities in their systems and assess their security posture against OWASP and NIST industry standards. 

The company has raised almost $160 million in total funding to date. 

Another key vendor in the space is BugCrowd, which connects enterprises with security researchers so they can discover vulnerabilities and prioritize them. BugCrowd most recently announced raising $30 million as part of a series D funding round in 2020, bringing its total funding raised to $80 million. 

Other significant alternatives in the space include Intigriti, a bug bounty and agile penetration testing platform, which raised $20 million as part of a series B funding round earlier this year. 

HackerOne’s partnership with the DoD is helping differentiate it from other providers by highlighting the skills of the ethical hackers on its platform, who were invited to participate in the challenge.