BALTIMORE, MD—The Maryland Department of Information Technology (DoIT) has announced the successful completion of its first bug bounty program, which identified over 40 exploitable vulnerabilities in the state’s public-facing web assets.

Launched as a pilot program focused on 12 key state websites, the initiative was later expanded to encompass all *.maryland.gov, *.md.gov, and *.state.md.us domains. This wide-ranging approach, modeled after a similar program run by the Department of Defense (DoD), makes Maryland’s bug bounty program one of the largest at the state level.

The program leveraged the expertise of vetted security researchers, who were financially compensated for their findings. This approach, lauded by DoIT Secretary Katie Savage for its effectiveness in identifying and remediating vulnerabilities, is becoming increasingly standard at the federal level, with the Cybersecurity and Infrastructure Security Agency (CISA) actively encouraging its adoption.

“Bug bounty programs have completely changed how the federal government identifies and remediates cybersecurity vulnerabilities,” said Savage, who previously led the Defense Digital Service within the DoD and oversaw multiple bug bounty programs, including “Hack the Pentagon.” “By implementing the widest state-level bug bounty program in our nation, the State of Maryland will identify vulnerabilities more quickly, establish strong, long-term ties with the security researcher community, and keep our state secure.”

The Maryland bug bounty program not only bolstered the state’s cybersecurity but also cultivated relationships with security researchers, paving the way for future collaborations on vulnerability identification and remediation. By leveraging federal best practices and utilizing cutting-edge strategies, Maryland is committed to ensuring the safety and security of its residents’ data and online systems.

This article was written with the assistance of AI and reviewed by a human editor.

Photo via Pixabay