Ask David Dworken when he was in tenth grade what a cross-site scripting vulnerability is and you might get a strange look from the Alexandria, Va., teen. Fast forward two years and pose the same question Dworken and you’ll get a well-versed answer from the now white hat hacker and recent high school graduate. Dworken has quickly matured when it comes to finding flaws in software, being active in bug-bounty programs and recently participated in the Hack the Pentagon bounty program.
Dworken was one of 1,400 invited to participate in the Hack the Pentagon beta program and one of 250 who submitted bug reports (138 turned out to be bounty eligible). Last Friday, on the day the Pentagon released the first set of results from the program, Dworken was invited to tour the Pentagon and meet Secretary of Defense Ash Carter; all this just five days after graduating high school from The Maret School in D.C.
“I totally enjoyed it, it was an absolutely crazy experience,” Dworken said. “I’d never been to the Pentagon before, despite living in the D.C., area my whole life. But the tour and meeting the secretary of defense, I’d say it was quite a day.”
Dworken was presented with a Hack the Pentagon Secretary of Defense’s Challenge Coin in a ceremony on Friday. Dworken did not earn a monetary bounty since all of his submissions were considered duplicates, but the program did pay out about $75,000, the DoD said in a statement.
“It was a little sad since I reported what I found on the first day,” Dworken said. “But it was absolutely worth it. Working on something like this was rewarding enough.”
The beta program ran from April 18 to May 12 and only certain Pentagon public-facing websites and certain vulnerabilities were in scope. The program is the first of its kind where hackers were invited to take their best shot at government properties. From the government’s point of view, this was as much about reaching out to the research community as it was fixing holes in its web properties.
“What’s changed is the government’s willingness to allow you to hack us,” said Lisa Wiswell, digital service lead with the Department of Defense’s Defense Digital Service office during the Infiltrate Conference in April. “Many in government are more humble now than historically, and are coming around and acknowledging that we need help.”
Katie Moussouris, who at the time the program was announced was chief policy officer at HackerOne, said the program could not only help stave off the next OPM hack, but inspire the next generation of white hats to help the government without fear of legal action or incarceration.
“I think the broader implications of this: some of the community goals are pretty obvious. We need to modernize our approach to security, we need to identify what the priorities are for the next few years in making things more secure and to identify new security talent who can fill these positions and help us get better over time,” Moussouris said in March.
Hack the Pentagon was run on the HackerOne platform and Dworken is a veteran there, having been a participant for more than a year and already earning himself a few thousand dollars for bugs found in Uber properties, in addition to CloudFlare, Adobe, Informatica and others on HackerOne. Outside of HackerOne, he’s found bugs for AT&T, Western Union, Symantec and Dyn among others.
And it all started when he found a cross-site scripting bug on his school’s website and reported it to his computer science teacher who promptly took it to the school’s developers to have it patched.
“That was the first thing I did as far as cyber goes and it was incredibly rewarding to see something I found change on the site due to work I was able to find and explain to them,” Dworken said. “I began reading about cybersecurity online and found it interesting. I began working through bounty programs online and at first earning a free t-shirt or credit on the website before recently actually making some sizable money.”
Dworken said he heard about the Hack the Pentagon program on NPR, but at the time knew only that it would be open to select experts. Within a few weeks, he said his invitation to participate arrived.
“At that point, I was unbelievably impressed to see the government following what is an understood industry best practice at this point and doing it with the Pentagon website,” Dworken said. “I was unbelievably excited to participate. I thought about it as doing the right thing to help keep the Pentagon site secure. It was a morally good thing to do.”
Dworken said his only apprehension was staying within the program’s scope as he focused on web security issues such as cross-site scripting and content injection flaws. As for the bugs he did find and report, he said the Pentagon’s security measures up to most web properties on the Internet.
“[Their security] is similar to most websites that don’t run bug bounties,” he said. “There were pretty standard web security vulnerabilities and it’s shockingly common how easily and often you find these types of vulnerabilities on sites that don’t run bug bounty programs.
“[The bugs] were there and now they aren’t,” Dworken added. “It fundamentally shows that bug bounties work.”
Dworken expects to pursue a computer science degree when he enters Northeastern University in Boston in the Fall, and to continue to focus on cybersecurity issues. As for the Hack the Pentagon program, Secretary Carter announced on Friday that there will be three follow-up initiatives on the heels of the beta program. The DoD is expected to develop a vulnerability disclosure process and policy in order for researchers to disclose bug reports legally. The bug bounty programs are also expected to be expanded to other DoD components, Carter said, and finally that incentives will be included for contractors to expose their systems for testing with a special focus on DoD source code.
Dworken, meanwhile, expects to remain a fixture in the sundry bug bounty programs available to researchers.
“They’ve been positive experiences,” he said. “Whether I’m getting paid or getting a t-shirt, I find it rewarding. It’s a way to contribute to security online and hopefully prevent further breaches.”