Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Endpoint Security

Pentagon Bug Bounty Program Uncovers 350 Vulnerabilities

Department Paid $110,000 in Rewards for Submitted Vulnerability Reports
Pentagon Bug Bounty Program Uncovers 350 Vulnerabilities

The U.S. Department of Defense uncovered almost 350 vulnerabilities in the department's networks as part of its experimental bug bounty program launched on American Independence Day.

See Also: Strengthening Defenses with ISO/IEC 27001 Standards: The Frontier of Canadian Cybersecurity

The weeklong bug bounty challenge that ran from July Fourth to July 11 was launched by the Chief Digital and Artificial Intelligence Office, Directorate for Digital Services, DOD Cyber Crime Center and vulnerability disclosure partner HackerOne, a private firm with a platform that enables researchers to submit information about vulnerabilities and then receive cash rewards for their disclosures.

While announcing the results, HackerOne, the vulnerability disclosure partner, says the DOD gained critical insights into how the hacker community competes for prizes with an end goal of strengthening the security of the hundreds of thousands of assets in the DOD scope.

Key Findings

Around 270 ethical hackers submitted 648 vulnerability reports under the DOD's vulnerability disclosure program, including several critical vulnerabilities that were remediated during the bug bounty challenge, producing 350 "actionable" reports.

As part of the "Hack U.S. program, the DOD paid a total of $75,000 in rewards for submitted vulnerability reports and $35,000 for bonus awards.

"In just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge. This ... shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner," says Melissa Vice, director of the vulnerability disclosure program.

Vice says that the initial evaluation of Hack U.S. reporting results uncovered the most commonly identified vulnerability was categorized as Information Disclosure.

"With the identification of vulnerability trends, we can seek out patterns of detection and ultimately create new processes and system checks to ensure we address the root cause and develop further mitigations against malicious actors who might try to exploit our systems," Vice says.

Other top flaws included Improper Access Control - Generic and SQL Injection. An improper access control weakness occurs when software fails to restrict access to a resource from an unauthorized actor, and an SQL injection is a common web hacking technique.

"We have to make sure we stay two steps ahead of any malicious actor. This crowdsourced security approach is a key step to identifying and closing potential gaps in our attack surface," says Katie Savage, deputy chief digital and artificial intelligence officer at Defense Digital Service.

Hack the Pentagon

The Pentagon has tinkered since 2016 with accepting vulnerability reports from security researchers and recently credited them with the closure of more than 6,000 vulnerabilities on public internet-facing military IT systems during 2021 alone.

The "Hack the Pentagon" program was launched in 2016 to encourage ethical hackers and security researchers to find flaws in public-facing Defense Department applications and websites. The program is overseen by the DOD Cyber Crime Center (see: 'Hack the Pentagon' Program Expands).

The July 2022 announcement came shortly after the closure of a yearlong test run by HackerOne of bug bounties made with a few dozen volunteer companies from the defense industrial base.

Bug bounties moved into the mainstream over the past decade, particularly as major technology companies, including Google, Facebook and Microsoft, have set up programs to accept unsolicited reports from outside researchers.

HackerOne's stance is that money isn't the overriding motivation for all hackers. A 2021 company survey concluded that while bounties motivate about three-quarters of hackers, more than 8 in 10 say they also participate in bounty programs to expand their skills. More than 6 in 10 say bounties help advance their careers.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.