We wrote earlier about the kind of success Google has been seeing with its Android bug bounty program -- success that has led the company to actually increase its rewards. Over the years, we've seen other major companies offer bug bounties as well, such as Facebook and Microsoft, so it's clear that they can provide some real value.
Could that value be important enough for the US government to get in on the action? It appears that "yes", it certainly can. In a new report from the Pentagon, the groundwork is laid for future programs that target much more than some front-facing websites, which is all that was involved during the Department of Defense's test period of April 18 - May 12 of this year.
To source participants, the DoD worked with HackerOne, a Silicon Valley company that helps manage security reports that are sent in. In all, 1,410 participants generated 1,189 vulnerabilities, of which 138 were deemed valid and paid for (to a total of $150,000).
Just how successful can a bug bounty system be? The DoD noted that the first vulnerability report came in a mere 13 minutes after the program was launched. Clearly, there are people out there anxious to partake in such programs, without the fear of being prosecuted.
While this first bug bounty stint affected only a handful of websites, the DoD wants to expand the program in the future to impact its more important systems. The DoD says that programs like these are not just cost-effective, they're simply more efficient. A win/win for everyone involved.