O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Distributed Defense: How Governments Deploy Hacker-Powered Security

1.031 visualizações

Publicada em

Many of the most secretive and conservative organizations in the world are reaping the benefits of working with the independent security research community with the help of HackerOne.

The U.S. Department of Defense runs an ongoing Vulnerability Disclosure Program through HackerOne Response.

The Pentagon, The U.S. Army, and The U.S. Air Force have collectively paid hackers over $400K for their efforts in securing mission-critical assets with a collection of HackerOne Challenges.

The European Commission recently selected HackerOne as the platform for their first ever bug bounty program with a HackerOne Challenge on the VLC software.

The U.S. General Service Administration’s Technology Transformation Service (TTS, aka 18F) launched the first bug bounty program run by a civilian federal agency with HackerOne Bounty.

Singapore's Ministry of Defence (MINDEF) ran an immensely successful HackerOne Challenge.

Review this slideshare and download the full report to see:

How government organizations like EU Commission, Singapore MINDEF, The Pentagon, and more are reaping the benefits of hacker-powered security

Statistical successes of each program and testimonials from those running these programs

The varied strategies employed to “crawl, walk, and then run” with hacker-powered programs.


Publicada em: Internet
  • Entre para ver os comentários

Distributed Defense: How Governments Deploy Hacker-Powered Security

  1. 1. Distributed Defense: How Governments Deploy Hacker-Powered Security More and more public sector agencies are recommending, mandating, and using ethical hackers as a secret weapon in their approach to cybersecurity.
  2. 2. Government Agencies Have Long Recommended Hacker-Powered Security “All companies should consider promulgating a vulnerability disclosure policy…” ROD J. ROSENSTEIN, Deputy Attorney General, U.S. Department of Justice “Companies should communicate and coordinate with the security research community...” FEDERAL TRADE COMMISSION “Engage with researchers and the hacker community in the reporting of vulnerabilities…” MANIFESTO ON COORDINATED VULNERABILITY DISCLOSURE, Global Forum on Cyber Expertise “Manufacturers should also adopt a coordinated vulnerability disclosure policy…” U.S. FOOD AND DRUG ADMINISTRATION, Postmarket Management of Cybersecurity in Medical Devices See More Quotes Here
  3. 3. Now, They are Using it to Enhance Their Own Security The European Commission recently selected HackerOne as the platform for their first-ever bug bounty program. The U.S. Department of Defense (DoD) has used HackerOne Challenges at the Pentagon, the Army, the Air Force, and more. Singapore's Ministry of Defence (MINDEF) engaged HackerOne for the first crowd-sourced security initiative run by a government in Asia.
  4. 4. Hacker-Powered Security Helps Governments Accelerate Their Security Efforts Governments aren’t known for their speed, but using hacker-powered security lets them move faster than ever before to quickly improve their security posture. The first-ever bug bounty challenge at the U.S. Department of Defense had more than 250 vetted hackers identify 138 validated bugs in just 24 days! Singapore’s Ministry of Defense used vetted hackers to identify 35 unique bugs and earn $14,750 in just 3 weeks! “The success of the program helped us boost our cybersecurity in a matter of weeks.” DAVID KOH, Deputy Secretary (Special Projects) and Defence Cyber Chief, Singapore’s Ministry of Defence
  5. 5. Here’s How Fast Hacker-Powered Security is for the DoD “The return on investment is incredible, both in terms of cost and in terms of making government assets more secure.” HUNTER PRICE, Director of Air Force Digital Service The U.S. DoD’s second challenge, Hack the Army, had 370 hackers report more than 400 bugs and earn over $100,000 in 3 weeks. The very first report was submitted within just 5 minutes! Hack the Air Force was next, with two separate challenges identifying more than 300 bugs in under two months. The very first report was submitted just 1 minute after the challenge opened!
  6. 6. Hacker-Powered Security Saves Taxpayer Money “If we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million.” ASH CARTER, U.S. Secretary of Defense at the time of the program Hacker-powered security enables governments to utilize modern and cost effective security efforts. It’s a proven approach to improving the security posture of any agency or organization. Here’s the math: Estimated Cost of Their “Normal” Security Audit and Vulnerability Assessment Process: $1,000,000 Amount Paid by DoD in 1 HackerOne Challenge: − $150,000 TAXPAYER MONEY SAVED: $850,000
  7. 7. These U.S. Military Agencies Trust HackerOne Hack The Pentagon | HackerOne Challenge | April-May 2016 The U.S. Department of Defense made the move into hacker-powered security with the first bug bounty program for the federal government. Read more Hack The Army | HackerOne Challenge | November-December 2016 Building on the Pentagon’s success, this program targeted operationally significant websites including those mission critical to recruiting. Read more Hack the Air Force | HackerOne Challenge | May-June 2017 & December 2017 - January 2018 Expanded the Pentagon’s hacker-powered initiatives to include non-U.S. participants and an increased bounty budget. Read more Hackers Registered 1,400+ First Report 13 minutes Bounties Paid $75,000 Valid Reports 138 Hackers Participating 371 First Report 5 minutes Bounties Paid $100,000 Valid Reports 118 Hackers Participants1 275+ First Report 1 minute Bounties Paid2 $233,883 Valid Reports3 313 1. with 30 from outside U.S. 2. ($130,000+ $103,883) 3. (207 + 106)
  8. 8. The U.S. Department of Defense Uses HackerOne U.S. DEPARTMENT OF DEFENSE HackerOne Response | Launched November 2016 After Hack the Pentagon, the DoD noticed bugs were still being submitted, so they launched an open-ended Vulnerability Disclosure Policy. Read more Hackers Participating 650+ Vulnerabilities Reported 3,000+
  9. 9. And These Global Government Agencies Use HackerOne, Too HackerOne Bounty | December 2017 The European Commission’s first ever bounty program, designed to protect critical EU software in the aftermath of the Heartbleed incident. Read more HackerOne Challenge | January-February 2018 Singapore’s first crowd-sourced security initiative and the first program of its kind by a government agency in Asia. Read more HackerOne Bounty | August 2017 The first-ever bug bounty program for a civilian federal agency in the U.S. Read more EU-Free and Open Source Software Auditing (EU-FOSSA) Project Singapore Ministry of Defence (MINDEF) Bug Bounty Challenge General Service Administration’s Technology Transformation Service
  10. 10. 1 Put a vulnerability disclosure policy (VDP) in place with HackerOne Response. Check out HackerOne’s “VDP Basics”, a complete guide for crafting an effective vulnerability disclosure policy. Or, learn more about HackerOne Response, a turnkey solution to help organizations receive, respond to, and resolve security vulnerabilities discovered by third-parties. 2 Try a crowd-sourced penetration test with HackerOne Challenge. HackerOne Challenge provides a private, turnkey program with a focused scope and a finite length. It’s an easy way to dip a toe into hacker-powered security, and it’s cost-effective: hackers are paid for valid results, not man-hours. That means hackers are incentivized to find the issues with the biggest impact, which directly correlates to the most value to you and to them. 3 Start a continuous bug bounty program with HackerOne Bounty. HackerOne Bounty enables agencies and organizations to leverage the power of the global hacker community along with the expert services of HackerOne. Using internal resources, HackerOne’s professional services team, or a combination of both, a continuous bug bounty program quickly scales and expands the reach of every security team. For Governments Getting Started is as Easy as 1-2-3
  11. 11. Get started by downloading an ebook version of this presentation. DOWNLOAD FREE EBOOK EMAIL US Learn Why More Governments Choose HackerOne Or, jump right in and talk with a HackerOne representative today.