Advertisement

White-hat hackers found 40+ vulnerabilities in Maryland’s first bug bounty program

Participants in Maryland's first bug bounty program uncovered more than 40 vulnerabilities affecting the state's websites.
hacker guy with laptop
(Getty Images)

The Maryland Department of Information Technology on Tuesday shared the results of its first bug bounty program, in which participating hackers found more than 40 vulnerabilities on the state’s websites.

The bug bounty program began on July 30 as an assessment of just a few of the state’s digital “assets,” and it was later expanded to include 12 assets hosted on Maryland.gov, md.gov and state.md.us. Over the course of the program, which concluded Aug. 28, hackers vetted by the state and the cybersecurity firm HackerOne found more than 40 vulnerabilities, which the state fixed before threat actors could exploit them.

The state paid participants for each vulnerability discovered. The state did not disclose the amounts, which were based on the severity of the uncovered vulnerability.

Officials said the program helped the technology department establish relationships with private-sector cybersecurity leaders that will enable future bug bounties and other cybersecurity vulnerability programs.

Advertisement

Many federal agencies have run similar programs. Maryland’s bug bounty program is modeled after a program run by the Department of Defense’s Defense Digital Service to identify vulnerabilities in defense systems, according to a state news release. Before becoming Maryland’s chief information officer last year, Katie Savage led the Defense Digital Service, which ran a program called “Hack the Pentagon,” along with other bug bounty programs.

“Bug bounty programs have completely changed how the federal government identifies and remediates cybersecurity vulnerabilities,” Savage said in the release. “By implementing the widest state-level bug bounty program in our nation, the State of Maryland will identify vulnerabilities more quickly, establish strong, long-term ties with the security researcher community, and keep our state secure.”

The state’s Office of Security Management, which is led by Gregory Rogers, the state’s chief information security officer, helped facilitate the bug bounty program. Rogers said the program was part of a statewide cybersecurity strategy and information security program.

“The Office of Security Management is taking advantage of the latest strategies, innovations, and policy frameworks to achieve whole-of-State cybersecurity and protect against threat actors,” Rogers said in the release. “By strengthening our ties with our nation’s thriving security researcher community, we are building a secure State that can protect itself and its constituents, now and in the future.”

Keely Quinlan

Written by Keely Quinlan

Keely Quinlan reports on privacy and digital government for StateScoop. She was an investigative news reporter with Clarksville Now in Tennessee, where she resides, and her coverage included local crimes, courts, public education and public health. Her work has appeared in Teen Vogue, Stereogum and other outlets. She earned her bachelor’s in journalism and master’s in social and cultural analysis from New York University.

Latest Podcasts