The US government is tapping into the expertise of the hacking community in an effort to tighten up its cybersecurity protections.
Earlier this week, the Chief Digital and Artificial Intelligence Office (CDAO), the Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) jointly launched “Hack US”, a bounty-hunting program aimed at identifying high-severity flaws in government systems.
As reported by VentureBeat, the Department of Defense (DoD) has a budget of some $110,000 for white-hat hackers that discover dangerous flaws. Critical severity reports will earn hackers $1,000 a piece, high severity ones $500, and there’s a $3,000 reward for those in additional special categories.
Armies of hackers
Speaking to the publication, Casey Ellis, founder and CTO at Bugcrowd, says tapping into the community’s potential makes sense, given that the attackers often work in groups and generally outnumber the defenders.
“It takes an army of adversaries to outsmart an army of allies, and many organizations are tapping into the community of millions of good-faith hackers around the world who are skilled, ready, and willing to help,” Ellis said.
“The good folks at DoD DC3 have been running a vulnerability disclosure program for many years with great diligence and success, so to see them ‘upgrade’ this to a paid bug bounty program makes a lot of sense,” Ellis said.
But it’s not just about the numbers of attackers sifting through code for flaws – it’s also about the number of flaws. According to the VentureBeat report, the average organization has more than 30,000 vulnerabilities on its attack surface, which is a lot more than what a small internal security team can handle.
Consequently, almost half (44%) of organizations aren’t confident they can properly secure all of their endpoints (opens in new tab), even with the best cybersecurity solutions (opens in new tab) in place.