Unlike you and that high-school bully you’ve never quite forgiven, IT professionals know how to patch things up. They’re the ones who must repeatedly scramble to fix vulnerabilities in laptops, servers, databases, and any other network-facing devices that have a kernel of an operating system.

All this vulnerability management can be an exhausting responsibility—but it’s one that can potentially be relieved when IT managers reduce the scope of the colossal task, as well as recognize the teams’ efforts, according to industry experts who spoke to IT Brew.

Take just the category of applications. Some retailers require adjustments to Web and mobile apps on an almost daily basis, said Sonali Shah, chief product officer at the app-security provider Invicti Security.

“There’s that pressure, I would say, to continuously innovate,” Shah told IT Brew. “But at the same time, there’s this explosion of vulnerabilities.”

The US government’s National Vulnerability Database (NVD), which features common vulnerabilities and exposures, has a list of over 176,000 total entries. (Even the list for June alone looks like a lot.)

A 5 out of 100: Not as bad as you think

For a vulnerability management program to succeed, IT teams may have to find a way to narrow down the list of flaws, rather than worry about scoring a perfect 100.

Verifying that a patch has been deployed is an important aspect of vulnerability management—one potentially made less overwhelming when top priorities are defined and handled first.

“The reality is, if I hand you 100 [vulnerabilities], you’re going to look at me and say, ‘Yeah, I’ll get to it at some point,’” said Sophat Chev, chief advisor of security at IT service-management company ConvergeOne. “If I give you five, you’re probably more apt to go fix those five, right?”

Backlog and burnout

Prioritizing, patching, remediating, and reporting are an even tougher set of responsibilities when you’re also tasked with the usual IT assignments, like providing technical support, training employees, working with suppliers, and explaining that printer No. 2 isn’t working because nobody’s refilled the paper tray.

“There’s just so much stuff going on, so many alerts, so many notifications of suspicious or malicious activity, that it’s impossible to keep up with all of them,” said Ian McShane, VP of strategy at Arctic Wolf, a network-monitoring cybersecurity company. “It means that the backlog for a lot of work in cybersecurity just gets bigger and bigger every single day.”

Read it here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

The Pentagon is offering cash for clunkers—specifically, bounties for anyone able to detect bugs and other vulnerabilities across a broad range of public-facing websites and apps.

The Defense Department initiative, called Hack US, runs from July 4 to July 11 and is in partnership with HackerOne, one of the bug-hunting platforms it’s worked with for years as part of its outreach to white-hat hackers. The Register reported that the program, which is being run by three separate DOD departments, including its Cyber Crime Center, will pay out around $75,000 in bounties on a first-come, first-served basis, while another $35,000 will fall into special categories.

The Pentagon is offering $500 or more for high-severity bugs and $1,000 or more for critical ones. Those who nail vulnerabilities in special categories, such as the best finding on each of the service branches’ domains, can score up to $5,000 a hit. (If the DOD deems a bug as only worthy of a low or medium severity CVSSv3 score, no prize is offered, but they’ll add it to their bug tracker.)

Government employees are eligible to participate in the program so long as they submit an official request to participate outside of their normal work hours.

HackerOne lists over 22,000 DOD-related reports as resolved over the years. As of Thursday afternoon, the Hack US page showed around 400 reports.

“This expanded program is intended to give security researchers terms and conditions for conducting vulnerability discovery activities directed at publicly accessible Department of Defense (DOD) information systems, including web properties, and submitting discovered vulnerabilities to DOD,” the program’s description reads.

In May, a DOD pilot program called the Defense Industrial Base-Vulnerability Disclosure Program, which was also run via HackerOne, found roughly 400 issues on sites and assets belonging to military contractors and other firms that comprise the defense industrial base.

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.

Today’s top IT reads.

Stat: $20+ billion. That’s the investment Volkswagen Group says it will make to build out its own electric vehicle battery facilities through the creation of a new company. (the Verge)

Quote: “It’s like a magician. To the magician, the trick is easy, but to everyone else, it’s a lot harder.”—Trevor Rainbolt, expert player of GeoGuessr, which asks players to guess the name of a random location in Google Maps (the New York Times)

Read: Various tech companies are offering to cover abortion-related costs for employees. But not all workers are included in this pledge. (Wired)

Candid convos with industry icons: Hosted by Brew co-founder Alex Lieberman, the Imposters podcast delves deep into the personal and mental challenges some of the biggest names in biz have faced while reaching their most resounding achievements. Listen here.