May 15, 2018

State department bug bounty gets rare thumbs up

Illustration: Sam Jayne/Axios

Congress has struggled so far to write bug bounty legislation — which incentivizes independent testing of federal security — that the small handful of thought leaders in the field can embrace. But the new State Department bounty bill might pass muster, according to Casey Ellis, founder and chief technology officer of the bug bounty firm Bug Crowd.

Why it matters: While the programs are increasingly considered part of a well-balanced security diet, they are easier to get wrong than right.

The Hack Your State Department Act, which just passed the House Foreign Affairs Committee, requires State to offer a bug bounty — a reward program that pays independent researchers who report security flaws in public facing infrastructure.

Bug bounties take work: The most successful federal bug bounty programs have been those run by the Department of Defense, which made it look easy. Too easy.

  • Before a bug bounty program takes flight, a lot of things need to happen: Agencies need to restructure staff to be able to patch the influx of new bugs, create legal waivers to prevent good guys from being arrested for bad-guy hacking, and address all outstanding bugs to make room for the new ones coming.
  • "The problem with past bills is they saw Hack the Pentagon, that didn't take much time after being announced to launch, and told agencies to establish programs within 90 days," said Ellis.
  • But while the public didn't find out about Hack the Pentagon until late in the process, the Pentagon devoted two years to it before going public.
  • Hack Your State Department, introduced by Reps. Teds Lieu and Yoho (D-Calif. and R-Fla.) would give State a full year to set up the program, including a preparatory period where the department would accept and patch bugs but offer no reward.

Go deeper

54 mins ago - Technology

The slippery slope of protest surveillance

Illustration: Aïda Amer/Axios

President Trump's call to treat antifa supporters like terrorists could be a green light for high-tech surveillance of dissidents.

Why it matters: It's unlikely the Trump administration can designate antifa as a terrorist group in any legally meaningful way, but the declaration gives law enforcement tacit approval to use a plethora of tech tools to monitor protesters and left-leaning activists.

The biggest crisis since 1968

Illustration: Aïda Amer/Axios. Photo: Bettmann/Contributor

The year 1968 has been on a lot of people’s minds lately — another year of protests, violence and upheaval that seemed to be tearing the nation apart.

Yes, but: This crisis also has moments we’ve never seen before — and some historians and experts say the differences suggest that 2020 doesn't compare well at all.

SoftBank to launch $100M fund backing companies led by people of color

Illustration: Aïda Amer/Axios

SoftBank COO Marcelo Claure said in a letter to employees early Wednesday that the firm will create a $100 million fund that "will only invest in companies led by founders and entrepreneurs of color."

Why it matters: The Opportunity Growth Fund is one of the first to put significant capital behind companies' statements of empathy and outrage in response to protests over systemic racism in the U.S. typified by the killings of George Floyd, Breonna Taylor and other African Americans by police.