How DOD Embraced Bug Bounties -- And How Your Agency Can, Too

Sarah Lai Stirland | FCW | October 24, 2016

It was a Tuesday in April, and Mark Litchfield was poking around the Defense Department's Defense Video Imagery Distribution System, looking for security holes. It didn't take him long to find one. He soon uncovered a vulnerability known as a blind persistent cross-site script. It could enable any maliciously minded hacker to log in as a site administrator and broadcast whatever content he or she wanted from the DVIDS website -- which is the primary way the U.S. military keeps the public informed about its activities around the world. The hacker could also have accessed the email messages of the registered users of DVIDS.

“As you can imagine, [Islamic State militants], if they had launched that kind of attack, they would have had a field day if they could upload whatever they wanted onto a website that's run by the military,” Litchfield said. Such propaganda risks are hardly hypothetical; last year, Islamic State sympathizers hacked into U.S. Central Command's Twitter feed and YouTube accounts. Luckily it was Litchfield, a security researcher and entrepreneur, who discovered the vulnerability -- and he did so at DOD's invitation.

Had he discovered the problem under regular circumstances, it would not have been clear what he could have done about it. Like most other websites, DVIDS does not provide explicit instructions on how to responsibly report problems. Instead, in the “Privacy and Security” section, DOD threatens prosecution for any unauthorized attempts to upload or change the information provided by DVIDS. But Litchfield was able to report the problem -- and 35 others -- without fear of prosecution because he was participating in DOD's pilot “Hack the Pentagon” bug bounty program, which invited vetted members of the public to rummage around five media-related DOD websites with the goal of uncovering security problems...