Does/should the military reward SM's/Veterans money for finding vulnerabilities in a network?

2016-03-18T07:53:31-04:00

Most enterprise companies have a bug bounty program, paying non-employees to attempt to gather "non public" info to test system security. Should the DoD be doing the same thing, or do you think this would be a terrible idea?

These tests are a more cost effective way to find any holes in the system that could end up really bad if not found by a "White hat".

Response by SPC(P) Private RallyPoint Member made Mar 18 at 2016 7:57 AM

2016-03-18T07:57:27-04:00

Btw anyone interested in such bug bounty programs to make $500 upwards to $1,000,000, look up sites on Google (read reviews if you're paranoid lol) hackerone and bugcrowd

Response by SSG Ed Mikus made Mar 18 at 2016 10:20 AM

2016-03-18T10:20:53-04:00

This would be a great idea IF we spent time and money fixing the problems we already know about. since we do not, this would just make more issues more commonly known and still leave them unaddressed.

Response by Maj Kevin "Mac" McLaughlin made Mar 18 at 2016 11:58 AM

2016-03-18T11:58:09-04:00

We are not a profit making company. I do not want untrained and unqualified people running security tests on our military networks. This is what we're forming the Cyber Ops Squadrons.

Response by CW5 Private RallyPoint Member made Mar 18 at 2016 1:09 PM

2016-03-18T13:09:31-04:00

SANS Critical Security Control # 20: Penetration Tests and Red Team Exercises
If we won't conduct it ourselves we should pay someone else but not make it a wild, wild, West where we have no idea where/when/how the attacks are conducted. Nothing wrong with discovering vulnerabilities but we need know when testing is happening.
Also, how would you keep an insider from gaming the system like the recruiters did when making tens of thousands using the G-RAP program?