May 15, 2018

State department bug bounty gets rare thumbs up

Illustration: Sam Jayne/Axios

Congress has struggled so far to write bug bounty legislation — which incentivizes independent testing of federal security — that the small handful of thought leaders in the field can embrace. But the new State Department bounty bill might pass muster, according to Casey Ellis, founder and chief technology officer of the bug bounty firm Bug Crowd.

Why it matters: While the programs are increasingly considered part of a well-balanced security diet, they are easier to get wrong than right.

The Hack Your State Department Act, which just passed the House Foreign Affairs Committee, requires State to offer a bug bounty — a reward program that pays independent researchers who report security flaws in public facing infrastructure.

Bug bounties take work: The most successful federal bug bounty programs have been those run by the Department of Defense, which made it look easy. Too easy.

  • Before a bug bounty program takes flight, a lot of things need to happen: Agencies need to restructure staff to be able to patch the influx of new bugs, create legal waivers to prevent good guys from being arrested for bad-guy hacking, and address all outstanding bugs to make room for the new ones coming.
  • "The problem with past bills is they saw Hack the Pentagon, that didn't take much time after being announced to launch, and told agencies to establish programs within 90 days," said Ellis.
  • But while the public didn't find out about Hack the Pentagon until late in the process, the Pentagon devoted two years to it before going public.
  • Hack Your State Department, introduced by Reps. Teds Lieu and Yoho (D-Calif. and R-Fla.) would give State a full year to set up the program, including a preparatory period where the department would accept and patch bugs but offer no reward.

Go deeper

George Zimmerman sues Buttigieg and Warren for $265M

George Zimmerman in Sanford, Florida, in November 2013. Photo: Joe Burbank-Pool/Getty Images

George Zimmerman filed a lawsuit in Polk County, Fla. seeking $265 million in damages from Democratic presidential candidates Pete Buttigieg and Elizabeth Warren, accusing them of defaming him to "garner votes in the black community."

Context: Neither the Massachusetts senator nor the former Southbend mayor tweeted his name in the Feb. 5 posts on what would've been the 25th birthday of Trayvon Martin, the unarmed black teen Zimmerman fatally shot in 2012. But Zimmerman alleges they "acted with actual malice" to defame him.

4 takeaways from the Nevada Democratic debate

Photo: Mario Tama/Getty Images

The relative civility of the last eight Democratic debates was thrown by the wayside Wednesday night, the first debate to feature the billionaire "boogeyman," Michael Bloomberg, whose massive advertising buys and polling surge have drawn the ire of the entire field.

The big picture: Pete Buttigieg captured the state of the race early on, noting that after Super Tuesday, the "two most polarizing figures on this stage" — Bloomberg and democratic socialist Bernie Sanders — could be the only ones left competing for the nomination. The rest of candidates fought to stop that momentum.

Klobuchar squares off with Buttigieg on immigration

Buttigieg and Klobuchar in Las Vegas on Feb. 19. Photo: Mario Tama/Getty Images

Former South Bend, Ind., Mayor Pete Buttigieg went after Sen. Amy Klobuchar on the debate stage Wednesday for voting to confirm Customs and Border Protection Commissioner Kevin McAleenan and voting in 2007 to make English the national language.

What she's saying: "I wish everyone was as perfect as you, Pete, but let me tell you what it's like to be in the arena. ... I did not one bit agree with these draconian policies to separate kids from their parents, and in my first 100 days, I would immediately change that."