chevron-down Created with Sketch Beta.

Public Contract Law Journal

Public Contract Law Journal Vol. 49, No. 1

Bug the Bounty Hunter: Recommendations to Congress to Best Effectuate the Purpose of the SECURE Technology Act

Myles Ashong


  • Discusses programs for identifying defects in software.
  • Analyzes the use of defect identification for improving software security.
  • Considers proactive contracting to address cybersecurity.
Bug the Bounty Hunter: Recommendations to Congress to Best Effectuate the Purpose of the SECURE Technology Act

Jump to:

I. Introduction: A Cyber Nightmare Is Closer Than You Think: How Can We Ensure That We Are Secure?

Picture this: you are on your way home from work and, as is routine, safely seat-belted in the back seat of a taxi cab, or Uber, or Lyft.You have just finished reviewing the last of that day’s e-mail threads from your colleagues at the office and are beginning to mentally decompress. You insert your headphones and turn on your favorite podcast. Suddenly, you feel a jolting acceleration, then a swerve, a skid, and finally a stop. Thankfully safe, you quickly realize that the car is not. You have been involved in a multi-vehicle accident. And your driver claims that it was not his fault. “The car did it,” he claims. What if the driver was absolutely right?

In theory, everything grounded in technology is hackable because the human-written, algorithmic code of which it is comprised is inherently imperfect. Even when secured by passwords, cellular phones and laptops can be hacked. Surprisingly, smart-televisions can be hacked, coffee machines can be hacked, and intimate dating websites can be hacked. Even the Dalai Lama has been hacked. This is in large part because since the Internet’s inception in the latter part of the twentieth century, interconnected systems have seen expansive growth and rapid development, both in utility and convenience, and have become omnipresent. Correspondingly, the commonness and usefulness of digital and cyber-infrastructure has, too, expanded at a parallel rate. This proliferation has provided bad actors and hackers with yet another domain through which they can commit cyberattacks and intrusions on a hosted network without an owner’s consent. Fittingly, as former FBI Director Robert Mueller noted, the same roads that enabled the spread of Roman civilization also led invaders to Roman doorsteps. In the context of the Internet, this is equally true. Along with its countless benefits, the Internet’s own rapid expansion has paradoxically led to cybersecurity defects, or “bugs,” and other exploitative vulnerabilities. As such, the federal government, tasked with the protection and safety of its citizens, has proactively begun increasing investments in research aimed at addressing cybersecurity vulnerabilities and identifying internal vulnerabilities to protect their infrastructures against cybertheft, cyberespionage, and the infiltration of harmful malware.

One defensive tactic, the “bug-bounty program,” invites hired computer- security experts, also known as “white hat hackers,” to hack into existing infrastructures with the goal of identifying and reporting potentially harmful vulnerabilities to the host. Though this “hacker-powered security” is a relatively new phenomenon in government, it has solidified its place in mainstream cybersecurity practice after decades of success in identifying and resolving “zero-day vulnerabilities” within the private sector. Zero-day vulnerabilities are exploitable vulnerabilities of which a software vendor is not aware and for which no patch has yet been created. Google, for example, paid out more than $2.9 million in bounties in 2017, and Apple offers up to $200,000 for the identification of certain vulnerabilities. Most recently, the value of the bug bounties in federal government agencies has caught the eye of Congress. On January 3, 2018, President Donald Trump signed H.R. 7327 - Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act” or the “Act”) into law. The SECURE Technology Act (1) compels the Department of Homeland Security (“DHS”) to establish a security vulnerability disclosure policy (“VDP”); (2) requires DHS to establish a bug-bounty pilot program to minimize vulnerabilities of DHS information systems; and (3) establishes an interagency Federal Acquisition Security Council to set supply-chain risk management standards. The SECURE Technology Act aims to advance digital security systems within the federal government, using previously efficacious bug-bounty programs as an instructive mold.

However, the documented success of completed programs and the prospect of future programs do not evince or guarantee perfection in the application of bug-bounty programs, generally, because these programs have not yet been optimized to reach their full potential. There remains ample room for increased clarity, utility, and efficiency in federal bug-bounty offerings. Going forward, it is imperative that federal agencies offering bug-bounty programs seek to ensure to their participants fundamental fairness within criminal and intellectual property law while operating within the bounds of the Computer Fraud and Abuse Act (“CFAA”). Unfortunately, it is difficult to harmonize and operate within these competing principles because the usage of government bug bounties as a cybersecurity tool is still a largely novel concept.

This Note argues that the SECURE Technology Act should expand the scope of past bug-bounty programs offered by government agencies to permit hacking attempts against critical and sensitive cyberinfrastructures that contain sensitive, highly sensitive, confidential, or classified materials. For ostensibly obvious reasons regarding reliability and trustworthiness, current and past government bug-bounty programs have been reluctant to grant bug- bounty participants access to sensitive and classified materials. This Note recommends a departure from that sentiment in order to best effectuate the purpose of the SECURE Technology Act and receive the best value from the appropriated funds.

Part I of this Note presents a brief overview of past bug-bounty programs offered by the federal government and compares their application to those offered in the private sector. Part II of this Note argues that it would be a misapplication of congressionally appropriated funds to constrain bug-bounty participants to the least difficult systems because, for reasons later discussed, doing so identifies ancillary vulnerabilities without actually making infrastructures any more secure. Finally, Part III of this Note argues that Congress has little to gain from allowing the bug-bounty portion of the SECURE Technology Act to mirror its mandated bug-bounty program after past government bug-bounty offerings. To obtain the best value from the congressionally appropriated funds, the SECURE Technology Act must carve out sufficient safe harbor protections for participants and allow those participants to access sensitive security systems. The Act should clearly define its scope and require formalized reports regarding successful vulnerability discoveries and, for unsuccessful attempts, reports that indicate the nature of the attempted intrusions. Finally, in response to anticipated skepticism about the reality of its proposal, this Note posits strict criminal penalties for any participants who are found to have retained data, attempted to retain data, exceeded the government’s scope, or attempted to exceed the government’s scope.

A. Setting the Stage to Swat the Bug: Why the Government Needs Bug-Bounty Programs

Sophisticated, anonymous attackers pose a great danger to government cyber-infrastructures with their ability to discover weaknesses through design and implementation flaws within even the most secure computer networks. These nimble hackers incessantly target interconnected government cyber-networks with malicious attacks. It has been reported that cyberterrorists and hackers attempt to penetrate Department of Defense (“DoD”) computer systems “thousands of times a day.” Further, the number of “cyber incidents” on federal systems reported to the DHS increased more than tenfold between 2006 and 2015. Still, even the most accurate malware reports will only represent an infinitesimally small fraction of the actual total because, by their nature, most malicious cyber-intrusions ultimately go undetected. Even when malicious activity is detected, there remains the costly and time-consuming problem of identifying the source and preventing its reoccurrence. Due to the immense cost, resources, and manpower required to locate and patch existing “bugs,” this category of vulnerabilities is often neglected and left ripe for exploitation, specifically, by way of cyber-intrusions, or “hacks.” Both domestically and abroad, digital infrastructures have suffered intrusions that make them susceptible to disruption and permit bad actors to steal money, intellectual property, and sensitive military information. The revolution of the Internet calls for an urgent reassessment of the value of a secure cyber-infrastructure, as well as the threat that information theft and other cyberattacks pose to domestic and international security. To ignore this sign of modern times would all-but encourage attempts to threaten America’s cyber-infrastructures.

In 2009, President Barack Obama identified cybersecurity as one of the “most serious economic and national security challenges we face as a nation” but are ill-equipped to counter. More recently, the Council of Economic Advisors estimated that one major cyberattack could cost between $57 billion and $109 billion. In 2015, there were 112 million recorded healthcare data breaches. In 2017, Symantec reportedly blocked 611,141 web attackers per day and encountered a fifty-four percent increase in the number of new variants of malware that infect computers. In the same year, the FBI’s Internet Crime Complaint Center (“IC3”) received a total of 301,580 complaints with reported losses exceeding $1.4 billion. In late 2018, the Pentagon reported that it had been hacked and that the breach may have taken place several months before it was discovered. Instances like the aforementioned are particularly harmful in the context of government cybersecurity not only because they can result in financial harm, but also because they can give rise to safety concerns and cause immeasurable damage to the public’s faith in the government. Portended suppositions — similar to those of President Obama — bolstered by such staggering figures no doubt reflect the necessity of strong, proactive defensive capabilities.

Still, while cyberattacks vary significantly in complexity and impact, U.S. federal government agencies continue to face increasingly sophisticated and persistent cyber threats from devious hackers, commonly known as “black-hat hackers,” who hack into protected platforms — without permission —for a variety of reasons.Additionally, because attack tools have become more sophisticated and easier to use, black-hat hackers can simply download attack scripts and protocols from the Internet and subsequently launch them against government websites. Far from solicited auxiliaries, these black-hat hackers comfortably operate while shrouded in anonymity, a phenomenon that has been called the “cornerstone” of Internet culture. As such, identifying cyber-vulnerabilities and locating and protecting against attackers is particularly difficult in the cyberworld in comparison to the physical world, in part due to the abilities of sophisticated actors to mask their activity and hide the origins of their attacks. All in all, the rise of malicious hacking attacks against governments mirrors the uptick in hacking that similarly mars the private sector.

1. What Doesn’t Kill Them, Only Makes Them Stronger: How Developments in Cybersecurity Have Made Bugs More Prevalent

The prevalence of software in society has continued to rapidly grow and expand across societal functions with no signs of deceleration. As users continue to demand additional functions from existing software, that software must be redeveloped and consequently becomes more complex and difficult to understand. Logically, an increase in quantity of complex software inevitably leads to more vulnerabilities because such complex software has more lines of code and therefore attendant security bugs, which makes them harder to test, and thus more likely to contain untested sections. This is particularly true in the context of public sector infrastructures, who are commonly known to be a step or two behind their private sector counterparts.

B. Proactive Combat: Federal Government Agencies Taking a Chance on Bug- Bounty Programs and Congressional Backing

New problems require new solutions. April 16, 2016, marked an interdepartmental acceptance of this principle when the federal government took an unusual action in its fight against cybercrime. In coordination with the Department of Justice (“DOJ”), the DoD’s Defense Digital Services (“DDS”) group introduced its pilot “Hack the Pentagon” bug-bounty program, the first of its kind to ever run at a federal agency. The initiative, which ran throughout April and May of 2016, was directed by the DDS with strong support from then-Secretary of Defense Ash Carter and mimicked best practices from the private sector. Hack the Pentagon attracted more than 1,400 hackers who — after registering and completing a background check — submitted vulnerabilities discovered within the Department’s public-facing websites, like After their acceptance to Hack the Pentagon, hackers were provided legal consent to perform specific hacking techniques against DoD websites and received financial awards for successfully submitting vulnerability reports. One hacker submitted the first bug within just thirteen minutes of the beginning of the contest. In the end, “138 legitimate and unique vulnerabilities were found.” Bounty rewards totaling $75,000 were paid out. Former Secretary of Defense Ash Carter even met with two of the bug-bounty’s participants to congratulate them for their work. The federal government’s willingness to partner with freelance hackers to bridge the gap between the private sector and the Pentagon is a marked departure from its erstwhile policies on combatting cybercrime. Two-and-a-half years later, the DoD announced renewed efforts to deepen the focus of its first bug-bounty program.

Building upon the success of Hack the Pentagon, the government ran more bug-bounty programs, received reports of more than 5,000 unique vulnerabilities, and paid out roughly $500,000. Yet, this figure still pales in comparison to the cost of hiring an outside firm to do security audit and vulnerability assessment. Secretary Carter observed this financial benefit: it would have cost the DoD more than $1 million to identify and resolve these vulnerabilities internally. Even still — this is less costly than seeing such vulnerabilities exploited to or on the black market. The Marine Corps Cyber Command has also hailed the benefits of bug bounties.

Most recently, the value of the bug bounties in federal government agencies has caught the eye of Congress. The SECURE Technology Act was introduced by Rep. Will Hurd (R-TX) on December 19, 2018, and it passed the House of Representatives by an electronic vote of 362-1 on the same day. It later passed the Senate by unanimous consent and was signed into law by President Trump two days later on December 21, 2018. The Act was a legislative package that “subsumed a trio of bills aimed at strengthening Homeland Security’s cyber defenses and protecting the government’s supply chain.” In doing so, the Act appropriates $250,000 and requires the DHS to establish a bug-bounty program and a vulnerability disclosure program. Next, on the supply-chain front, the bill establishes a Federal Acquisition Security Council to provide executive agencies with authorities relating to mitigating supply-chain risks in the procurement of information technology. This council is to include members from the DHS, the DoD, the General Services Administration (“GSA”), the Office of the Director of National Intelligence (“DNI”), the Federal Bureau of Investigation (“FBI”), the Office of Management and Budget (“OMB”), and the National Institute of Standards and Technology (“NIST”). The council must then establish criteria for determining what types of products pose supply-chain security risks to the federal government and will provide guidance to agencies to help them understand the risks to their supply chains when making procurement decisions. By its terms, the SECURE Technology Act portends congressional interest in and commitment to employing cutting-edge approaches for optimal cybersecurity. The Act’s requirements further hold the DHS’s feet to the fire by requiring continual and periodic reports regarding the program’s efficacy.

1. Know Thy “Enemy”: Who Participates in Bug-Bounty Programs?

The SECURE Technology Act’s bug-bounty program will be open to “eligible individual[s], organization[s], or company[ies],” that is, pre-vetted “hackers.” To the general public, “hacker” is often a term that is most often synonymous with the image of a shadowy and hooded member of the cyber-criminal underground. But, not all hacking is created equal.

The cybersecurity community generally recognizes three distinct subcategories of hackers: white-hat, black-hat, and grey-hat. “White-hat” hackers are members or affiliates of the security industry that are contracted with the specific goal of identifying and testing security flaws, whereas “black hats” engage in criminal conduct and infiltrate systems for no other reason than to commit that crime — usually, pursuing some sort of economic profit as an end-game. Somewhere in the middle of the road lies the “grey-hat hacker,” who operates on the fringe of civil and criminal liability to discover and report security vulnerabilities. Large corporations like Microsoft, Google, Facebook, and Mozilla have discovered and demonstrated the utility of hacker-powered security as an essential safeguard against criminal cyberattacks. There is no one better-suited to locate a cyber-vulnerability than someone who is practiced in exploiting these vulnerabilities. With this in mind, government bug-bounty programs should be restricted in their offerings to stringently pre-vetted trusted hackers that pass background checks in order to safely and effectively test their security. Additionally, bug-bounty sponsors should ensure that “no bounty money goes to a person or organization targeted by U.S. sanctions.” In light of these exclusionary requirements, well-intentioned white-hat hackers remain among the most apt and attractive candidates to participate in government bug-bounty programs.

2. Flying Too Close to the Sun: What Kind of and How Much Liability Do Participants Face?

Today, even white-hat hackers who are granted authorization for cybersecurity testing must walk a tightrope to avoid criminal prosecution. This poses a major problem that must be definitively ironed-out to maximize the participant pool in government bug bounties. Accordingly, the DOJ issued an assistive framework that guides the administration of vulnerability disclosure policies in order to “substantially reduc[e]” the likelihood that activities related to vulnerability disclosures will result in a civil or criminal violation of law under the CFAA. However, the framework is merely instructive. Thus, because prospective white-hat hackers presumably have less bargaining power in negotiations with the government than with private companies, they ostensibly welcome a considerable amount of civil and criminal exposure under the broad language and application of the CFAA. To balance this disparity in bargaining and offer appreciable protections to the involved parties, the DOJ’s guidelines instruct that the sponsor of the program should evaluate (1) the sensitive nature of information stored or processed on the organization’s systems, (2) the ability to segment its network or otherwise segregate sensitive information stored on its systems, and (3) any regulatory or contractual restrictions placed on disclosure of protected classes of information in an organization’s possession. The DOJ is less clear with respect to the handling of sensitive or classified information within the bounds of the CFAA.

As indicated earlier in this Note, the CFAA criminalizes access to a computer without proper authorization. But, the language of the statute is notoriously broad and imprecise and fails to adequately define “authorization,” leaving a significant amount of disconcerting grey area within which the white-hat hackers must operate. Additionally, in 1996, Congress passed an amendment to the CFAA which appreciably expanded the scope of § 1030(a)(2)(C). As a result, the CFAA, while once limited in its protection of “unauthorized access,” has expanded to prohibit intentional access of information from any protected computer or in a manner that “exceeds authorized access.” This notably broad language has been the source of pronounced uncertainty for bug-bounty participants. Thus, for sponsors, the DOJ suggests placing limits on the sensitive material and urges that organizations seriously weigh the risks and consequences of exposing sensitive information “when making its scoping decisions.”

The DOJ also offers guiding principles to aid in the drafting of vulnerability disclosure policies to avoid legal action and proscribes worthwhile considerations to that end. The DOJ’s framework recommends that, prior to launching, sponsors decide “how [they] will handle accidental, good faith violations of the vulnerability disclosure policy, as well as intentional, malicious violations.” Additionally, the framework instructs that sponsors use plain-language in describing acceptable and non-acceptable conduct and “[e]xplain the consequences of complying — and not complying — with the policy” in order to avoid ambiguities.

C. Don’t Let the Bad Bugs Bite: A Necessary Shift from Diffidence to Proactivity

In the past, government agencies sponsoring bug-bounty programs have been generally reluctant to make available their most critical infrastructures for white-hat hackers to test. Such an approach, however, diminishes the value of running a bug-bounty program because restricting participants’ access to the “low-hanging fruit” that exists within less-guarded systems necessarily limits vulnerability reports to those of lower-to-more-moderate severity. This, among other things, has prompted various criticisms about the underlying methodologies of government bug-bounty programs. It even led Katie Moussouris, former Chief Policy Officer with HackerOne and one of the driving figures of the organization who helped launch and direct the 2016 Hack the Pentagon bug-bounty, to characterize government bug-bounty bills as “well-meaning, but misdirected.” Similar criticisms surround the government’s inability — or reluctance — to allocate sufficient resources to curing the reported vulnerabilities.

Discovering cyber-vulnerabilities quickly is the first step in the attainment of cybersecurity. But quickly patching them is another. Today, there is a notable lack of cybersecurity resources in federal government agencies. This poses problems both in the administration of and response to reported vulnerabilities in bug-bounty programs in two ways. First, an agency that is understaffed in its cybersecurity divisions necessarily has fewer human resources to monitor and effectuate its operations. During the sponsorship of a bug-bounty program, this can inadvertently allow for potentially obstructive, or even injurious, supervision of the participants and their hacking techniques. Furthermore, failure to triage and patch reported bugs can lead to grievous consequences: “slips-through-the-cracks” can be costly, dangerous, or both. Second, if and when unique bugs are identified and reported, these reports run the risk of taking a priority over current and open bugs that may have previously been receiving attention or, alternatively, of taking a back-seat to those currently opened matters. This general “backlog” has been a common concern among cybersecurity experts and must be mitigated. These problems are not distinct, either. In some cases, they compound one another. For example, during Hack the Army, the program sponsors received 416 bug reports but only 118, or about one-fourth, were evaluated to be “unique and actionable.”

This is a time-consuming problem to have. In contrast, most major private corporations already have robust information technology departments that include expert personnel and specialized software that work in concert to catch, monitor, and are otherwise generally aware of, if not already clearing out, the “low-hanging fruit.” Furthermore, because of higher budgets and personnel capabilities, bug-bounty sponsors in the private sector are more readily able to monitor and communicate with participants at all stages throughout the bug-bounty process. In comparison, government agencies lack the time and resources to engage meaningfully with participants. Thus, government agencies must remain flexible to different practices, including hiring additional staff specialists to triage reported vulnerabilities or affording more autonomy to bug-bounty participants as they probe for and report vulnerabilities.

D. Hackers Gotta Hack: The DHS Must Allow Freer Rein to Bug-Bounty Participants

The government should aim to be more predictive and less reactive in its protection of our critical cyber-infrastructures. The funds appropriated for the DHS’s bug-bounty program by the SECURE Technology Act are a good start. The DHS can best effectuate the purpose of the SECURE Technology Act by 1) contracting a trusted pool of talented participants and 2) allowing those participants to dissect the DHS’s most valuable systems. As previously mentioned in this Note, in the past, government bug-bounty sponsors have avoided allowing their most sensitive systems from being probed by white- hat hackers. The most recently awarded government bug-bounty contract, however, departs from this sentiment and expands the scope and capacity of the program to bounties that are permitted to target private DoD assets. According to a statement released by the DoD, this approach will welcome valuable new security perspectives to emulate combat adversaries and mitigate risk. The SECURE Technology Act should be implemented in accordance with this trend to ensure that its appropriated funds are used in the most efficient manner and that the program reaps its best possible value. Calculated temerity, in this sense, promises to bear greater rewards than any cautious and continued maintenance of past methods.

To date, there have been roughly a dozen federal government bug-bounty programs. Imaginably, the federal government and its contractors have encountered some overlap in some of the participants across each program. To maximize their utility, the government and its contractors should review the results of each bug-bounty and “keep tabs” on the volume of submissions from each participant. With that information, and to the extent possible, the government should seek to break down the walls of skepticism between the parties and build a rapport that can sustain trusting, long-term partnerships. This can either be done by monitoring hacker participants over a temporal period or, alternatively, by monitoring hackers’ statistics based on their level and frequency of participation and the utility of their reporting. Once that is done, the DHS can examine the attributes and tenure of certain hackers and assign a level of trust to them that will allow these hackers to access (however closely monitored) more sensitive systems to test for vulnerabilities. With well-defined parameters and test-proven hackers, both parties stand to benefit — the government, in its sense of structural security, and the participants, in their safeguard against criminal prosecution.

To be effective, bug-bounty programs must clearly identify the scope and goals of its offering. This may seem obvious, but, at its core, the importance of this idea cannot be understated. For the DHS to reap the benefits of its bug- bounty program, it is imperative that its goals are clearly stated to serve as a road map for the participants. If the DHS is interested in a particular class of vulnerabilities or is less concerned with another, it should state so unequivocally as part of its offering so that the participants’ time is more purposefully spent reviewing reports of bugs that are in-line with the concerns. Similar initiatives have already been deployed. For example, HackerOne has introduced “Signal Requirements” and “Rate Limiter” instructions that organizations can use to increase the quality of reports by limiting certain types of activity. Signal Requirements allow only those hackers who maintain a certain ratio of “valid” to “invalid” submissions, while the Rate Limiter constrains the number of reports that a hacker can make in a given time interval.

Defining the scope of the bug-bounty program is equally important. This encompasses both defining the parameters of the program and indicating what sorts of methods are sought after as part of the program. Plainly and squarely defining the parameters can include outlining or informing participants of the civil and criminal penalties under the CFAA and reserving or waiving certain rights (assuming compliance from the participants). As previously discussed, the CFAA can have extensive bearings on the conduct of black-hat, grey-hat, and even authorized white-hat hackers. The previously discussed ambiguity in the CFAA can be a source of uncertainty for participants who are voluntarily undertaking government sanctioned-hacking of the government. It would do great damage to the landscape of bug-bounty programs if the government then turned around and prosecuted innocent missteps. For those reasons, in order to attract the best talent, common ground must be ensured.

II. Conclusion: Past is Prologue — Learning from & Building Upon Past Bug-Bounty Programs

The solutions proposed by this Note would strengthen the partnership between the government, as bug-bounty sponsors, and hackers, as bug-bounty participants, and lead to more valuable and beneficial dealings between the two parties in their joint efforts to identify and dissect vulnerabilities. This Note firstly calls for increased clarity with regard to the terms and parameters of bug-bounty offerings to ensure that participants, who may be wary of engaging with the government, can begin to build a workable level of trust in future dealings. Then, this Note urges the DHS, during its recently congressionally mandated bug-bounty program, to examine the efficacy of past bug-bounty programs (especially in the DoD) and allow a selected pool of participants to hack their more sensitive private systems. Admittedly, this approach may be met with healthy skepticism and hesitation. After all, there is a justified cause for concern when putting such significant faith in the hacker community. Importantly, however, government bug-bounty sponsors must recall that hacker culture — in its entirety — was once “taboo.” Cyber-society is ever-evolving, and the regularity of bounty programs is a sign of these changing times. As such, this Note posits that with sufficiently deliberate terms of agreement, good-faith dealing, and the lengthy reach of the CFAA, bug-bounty programs are ready to level up. Abandoning the erstwhile inhibitions of past government bug-bounty programs in favor of this new-fashioned methodology is a vitally necessary step towards obtaining the best value from the funds congressionally appropriated to Hack the DHS. If optimized, the SECURE Technology Act has the potential to break the timeworn mold of government-sanctioned hacking and to serve as a fortifying directive for the future of U.S. cyberinfrastructures.