back to article Pentagon is far too tight with its security bug bounties

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems doesn't carry a high reward. The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug …

  1. IceC0ld

    proof, if ever we need to see it, that IT IS still seen as the necessary evil, has to be there, but no one wants us :o(

  2. Kev99 Silver badge

    The article nailed the wastefulness of three versions of one aircraft. During The War F4U Corsair was used by both the Corps and the Navy. The F4 Phantom was used by both the Navy and Air Force. Not mention the SBD / A-24, PBJ / B-25, PB4Y / B-24, PB1 / B-17, SNJ / T-6, the C-130, A-7, and the A-1. Other than the Navy planes needing a tail hook, there really is no practical reason for the three different models.

    1. SundogUK Silver badge

      Not sure about some of your examples but any aircraft that is going to fly off a carrier deck has to be proofed against constant salt spray and have strengthened landing gear and fuselage structure because landings are much harder. (They come down fast and hard because they have a lot less space to stop.) If you tried to land an unmodified Air force F35 n a carrier you would likely write it off first time.

    2. Mayday
      Mushroom

      Air Force vs Navy vs Marines

      Different undercarriage (including tail hook and catapult launch gear)

      Folding wings

      Different store attachments

      Thrust vectoring mechanisms

      Different landing systems (for flight deck operations)

      Etc

      1. MachDiamond Silver badge

        Re: Air Force vs Navy vs Marines

        Everything in engineering is a compromise. It's not a bad thing to share some subsystems across military aircraft, but the requirements between a plane that works from an airport and one that works from a carrier are different enough that it's better to design each for those roles. While the newest generation is very cool and exciting with all of the new gadgets they have, I'm a fan of just building a s-ton of something that already works just fine. A wing of F-35's isn't nearly as impressive as 100 A-10's coming over the horizon or wave after wave of F-16's. The psychological aspect can be a much bigger factor than some stealth tricks and being able to put a very limited amount of ordinance precisely on target. Not a bad thing, but "perfection in war is so sapping your enemy's will that they give up without a fight". Sans that, getting them to lie down and cover their heads isn't bad either.

    3. Blank Reg

      All that mitary spending isn't about producing something useful, it's about shifting tax payer money to billionaires under the guise of protecting the country and creating jobs.

    4. PRR Bronze badge

      > no practical reason for the three different models.

      McNamara thought the same thing, and tried to force the Air Force and Navy to accept ONE design. This did not work out as hoped.

      The TFX Decision: McNamara and the Military: THE F-111 Fighter-Bomber 1968, Robert J. Art

      "...an engineering fiasco. ..... the lesson of the TFX is that multirole and joint service is a false economy, and that good-enough-today is a better than cutting-edge-tomorrow." - Michael Burnam-Fink on GoodReads

      Contrasting insight, 50+ years later: When Pigs Flew: The TFX Affair by Chris Hansen, 2021, ISBN: 9798509562099

      ----------------------------

      Something for the weekend!!

  3. Yet Another Anonymous coward Silver badge

    It's not just about the money

    It's also that if you have a name that's hard to pronounce they may just decide that your an enemy spy or if you are brown, a terrorist

    1. Version 1.0 Silver badge
      Facepalm

      Re: It's not just about the money

      But effectively "discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems" can get you arrested ...

  4. Anonymous Coward
    Anonymous Coward

    35k/hour for stadium fly-bys

    They're considered training missions with full briefings as if they were flying in, for example, Donbas. Since training flights are part of everyday Air Force life, I despise when the uninformed claim that the expense is a waste. Flight time is never wasted time.

  5. ITS Retired

    "Microsoft paid $13.7 million" How much money would it take Microsoft to properly test their software before it left the building, so the public wouldn't find so many bugs?

    1. DevOpsTimothyC

      IT's going to cost MSFT more than $13.7M to fully test and fix all their software to the point there's no bugs. Who was it that came up with "80% of the users only use 20% of the features"

      1. This post has been deleted by its author

  6. Geez Money

    Amazing

    Amazing how many totally false statements you can shove into one piece of propaganda lmao.

    The best part is that if you actually click the links to the (highly biased) sources they straight up contradict what the article claims they say. You literally claim the F35 costs $120 million or whatever while linking an article saying it costs $71 million (the correct figure for the last batch). You also repeat any number of totally false, unsourced and unsourceable claims about the F35.

    This shit is going straight to NCD This is somehow the worst defense take I've seen in months, and we're in the middle of a major war everyone is trying to write about. Truly impressive stuff.

    1. Cav Bronze badge

      Re: Amazing

      Am I missing something or can you not read? The linked artcile says exactly what they say it says. As the unit cost link in the linked artcle states, the $71 million is a deceptive figure, used to hoodwink the tax-payer, excluding the engine and parts.

  7. MachDiamond Silver badge

    When the money for selling info

    .... greatly exceeds the bug bounty, some of the testers might be looking at the bounty programs as a way to avoid detection. If people are being invited to test something, it eliminates the first alarm bell. All they might need to do is register with some false information and do their work from a node that isn't tied to them. One has to hope that the entity hosting the event is using a shadow system with dummy information.

    It's like the gun buyback program that was paying enough money that one guy found it profitable to 3D print guns and turn them in for the "reward" until they got wise. The beauty was that he didn't have to test that the 3D printed gun would actually work and not endanger the person firing it.

  8. Grinning Bandicoot

    Wiki gives The Pareto principle states that for many income, roughly 80% of the consequences come from 20% of the causes (the "vital few"). Other names for this principle are the 80/20rule, the law of the vital few, or the principle of factor sparsity.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like