Distributed Defense: How Governments Deploy Hacker-Powered Security

1. Distributed Defense: How Governments Deploy Hacker-Powered Security More and more public sector agencies are recommending, mandating, and using ethical hackers as a secret weapon in their approach to cybersecurity.

2. Government Agencies Have Long Recommended Hacker-Powered Security “All companies should consider promulgating a vulnerability disclosure policy…” ROD J. ROSENSTEIN, Deputy Attorney General, U.S. Department of Justice “Companies should communicate and coordinate with the security research community...” FEDERAL TRADE COMMISSION “Engage with researchers and the hacker community in the reporting of vulnerabilities…” MANIFESTO ON COORDINATED VULNERABILITY DISCLOSURE, Global Forum on Cyber Expertise “Manufacturers should also adopt a coordinated vulnerability disclosure policy…” U.S. FOOD AND DRUG ADMINISTRATION, Postmarket Management of Cybersecurity in Medical Devices See More Quotes Here

3. Now, They are Using it to Enhance Their Own Security The European Commission recently selected HackerOne as the platform for their first-ever bug bounty program. The U.S. Department of Defense (DoD) has used HackerOne Challenges at the Pentagon, the Army, the Air Force, and more. Singapore's Ministry of Defence (MINDEF) engaged HackerOne for the first crowd-sourced security initiative run by a government in Asia.

4. Hacker-Powered Security Helps Governments Accelerate Their Security Efforts Governments aren’t known for their speed, but using hacker-powered security lets them move faster than ever before to quickly improve their security posture. The first-ever bug bounty challenge at the U.S. Department of Defense had more than 250 vetted hackers identify 138 validated bugs in just 24 days! Singapore’s Ministry of Defense used vetted hackers to identify 35 unique bugs and earn $14,750 in just 3 weeks! “The success of the program helped us boost our cybersecurity in a matter of weeks.” DAVID KOH, Deputy Secretary (Special Projects) and Defence Cyber Chief, Singapore’s Ministry of Defence

5. Here’s How Fast Hacker-Powered Security is for the DoD “The return on investment is incredible, both in terms of cost and in terms of making government assets more secure.” HUNTER PRICE, Director of Air Force Digital Service The U.S. DoD’s second challenge, Hack the Army, had 370 hackers report more than 400 bugs and earn over $100,000 in 3 weeks. The very first report was submitted within just 5 minutes! Hack the Air Force was next, with two separate challenges identifying more than 300 bugs in under two months. The very first report was submitted just 1 minute after the challenge opened!

6. Hacker-Powered Security Saves Taxpayer Money “If we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million.” ASH CARTER, U.S. Secretary of Defense at the time of the program Hacker-powered security enables governments to utilize modern and cost effective security efforts. It’s a proven approach to improving the security posture of any agency or organization. Here’s the math: Estimated Cost of Their “Normal” Security Audit and Vulnerability Assessment Process: $1,000,000 Amount Paid by DoD in 1 HackerOne Challenge: − $150,000 TAXPAYER MONEY SAVED: $850,000

7. These U.S. Military Agencies Trust HackerOne Hack The Pentagon | HackerOne Challenge | April-May 2016 The U.S. Department of Defense made the move into hacker-powered security with the first bug bounty program for the federal government. Read more Hack The Army | HackerOne Challenge | November-December 2016 Building on the Pentagon’s success, this program targeted operationally significant websites including those mission critical to recruiting. Read more Hack the Air Force | HackerOne Challenge | May-June 2017 & December 2017 - January 2018 Expanded the Pentagon’s hacker-powered initiatives to include non-U.S. participants and an increased bounty budget. Read more Hackers Registered 1,400+ First Report 13 minutes Bounties Paid $75,000 Valid Reports 138 Hackers Participating 371 First Report 5 minutes Bounties Paid $100,000 Valid Reports 118 Hackers Participants1 275+ First Report 1 minute Bounties Paid2 $233,883 Valid Reports3 313 1. with 30 from outside U.S. 2. ($130,000+ $103,883) 3. (207 + 106)

8. The U.S. Department of Defense Uses HackerOne U.S. DEPARTMENT OF DEFENSE HackerOne Response | Launched November 2016 After Hack the Pentagon, the DoD noticed bugs were still being submitted, so they launched an open-ended Vulnerability Disclosure Policy. Read more Hackers Participating 650+ Vulnerabilities Reported 3,000+

9. And These Global Government Agencies Use HackerOne, Too HackerOne Bounty | December 2017 The European Commission’s first ever bounty program, designed to protect critical EU software in the aftermath of the Heartbleed incident. Read more HackerOne Challenge | January-February 2018 Singapore’s first crowd-sourced security initiative and the first program of its kind by a government agency in Asia. Read more HackerOne Bounty | August 2017 The first-ever bug bounty program for a civilian federal agency in the U.S. Read more EU-Free and Open Source Software Auditing (EU-FOSSA) Project Singapore Ministry of Defence (MINDEF) Bug Bounty Challenge General Service Administration’s Technology Transformation Service

10. 1 Put a vulnerability disclosure policy (VDP) in place with HackerOne Response. Check out HackerOne’s “VDP Basics”, a complete guide for crafting an effective vulnerability disclosure policy. Or, learn more about HackerOne Response, a turnkey solution to help organizations receive, respond to, and resolve security vulnerabilities discovered by third-parties. 2 Try a crowd-sourced penetration test with HackerOne Challenge. HackerOne Challenge provides a private, turnkey program with a focused scope and a finite length. It’s an easy way to dip a toe into hacker-powered security, and it’s cost-effective: hackers are paid for valid results, not man-hours. That means hackers are incentivized to find the issues with the biggest impact, which directly correlates to the most value to you and to them. 3 Start a continuous bug bounty program with HackerOne Bounty. HackerOne Bounty enables agencies and organizations to leverage the power of the global hacker community along with the expert services of HackerOne. Using internal resources, HackerOne’s professional services team, or a combination of both, a continuous bug bounty program quickly scales and expands the reach of every security team. For Governments Getting Started is as Easy as 1-2-3

11. Get started by downloading an ebook version of this presentation. DOWNLOAD FREE EBOOK EMAIL US Learn Why More Governments Choose HackerOne Or, jump right in and talk with a HackerOne representative today.