State department bug bounty gets rare thumbs up

Congress has struggled so far to write bug bounty legislation — which incentivizes independent testing of federal security — that the small handful of thought leaders in the field can embrace. But the new State Department bounty bill might pass muster, according to Casey Ellis, founder and chief technology officer of the bug bounty firm Bug Crowd.

Why it matters: While the programs are increasingly considered part of a well-balanced security diet, they are easier to get wrong than right.

The Hack Your State Department Act, which just passed the House Foreign Affairs Committee, requires State to offer a bug bounty — a reward program that pays independent researchers who report security flaws in public facing infrastructure.

Bug bounties take work: The most successful federal bug bounty programs have been those run by the Department of Defense, which made it look easy. Too easy.

• Before a bug bounty program takes flight, a lot of things need to happen: Agencies need to restructure staff to be able to patch the influx of new bugs, create legal waivers to prevent good guys from being arrested for bad-guy hacking, and address all outstanding bugs to make room for the new ones coming.
• "The problem with past bills is they saw Hack the Pentagon, that didn't take much time after being announced to launch, and told agencies to establish programs within 90 days," said Ellis.
• But while the public didn't find out about Hack the Pentagon until late in the process, the Pentagon devoted two years to it before going public.
• Hack Your State Department, introduced by Reps. Teds Lieu and Yoho (D-Calif. and R-Fla.) would give State a full year to set up the program, including a preparatory period where the department would accept and patch bugs but offer no reward.