The U.S. Department of Defense uncovered almost 350 vulnerabilities in the department’s networks as part of its experimental bug bounty program launched on American Independence Day.
The weeklong bug bounty challenge that ran from July Fourth to July 11 was launched by the Chief Digital and Artificial Intelligence Office, Directorate for Digital Services, DOD Cyber Crime Center and vulnerability disclosure partner HackerOne, a private firm with a platform that enables researchers to submit information about vulnerabilities and then receive cash rewards for their disclosures.
While announcing the results, HackerOne, the vulnerability disclosure partner, says the DOD gained critical insights into how the hacker community competes for prizes with an end goal of strengthening the security of the hundreds of thousands of assets in the DOD scope.
Around 270 ethical hackers submitted 648 vulnerability reports under the DOD’s vulnerability disclosure program, including several critical vulnerabilities that were remediated during the bug bounty challenge, producing 350 “actionable” reports.
As part of the “Hack U.S. program, the DOD paid a total of $75,000 in rewards for submitted vulnerability reports and $35,000 for bonus awards.
“In just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge. This … shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner,” says Melissa Vice, director of the vulnerability disclosure program.
Vice says that the initial evaluation of Hack U.S. reporting results uncovered the most commonly identified vulnerability was categorized as Information Disclosure.
“With the identification of vulnerability trends, we can seek out patterns of detection and ultimately create new processes and system checks to ensure we address the root cause and develop further mitigations against malicious actors who might try to exploit our systems,” Vice says.
Other top flaws included Improper Access Control – Generic and SQL Injection. An improper access control weakness occurs when software fails to restrict access to a resource from an unauthorized actor, and an SQL injection is a common web hacking technique.
“We have to make sure we stay two steps ahead of any malicious actor. This crowdsourced security approach is a key step to identifying and closing potential gaps in our attack surface,” says Katie Savage, deputy chief digital and artificial intelligence officer at Defense Digital Service.
Hack the Pentagon
The Pentagon has tinkered since 2016 with accepting vulnerability reports from security researchers and recently credited them with the closure of more than 6,000 vulnerabilities on public internet-facing military IT systems during 2021 alone.
The “Hack the Pentagon” program was launched in 2016 to encourage ethical hackers and security researchers to find flaws in public-facing Defense Department applications and websites. The program is overseen by the DOD Cyber Crime Center (see: ‘Hack the Pentagon’ Program Expands).
The July 2022 announcement came shortly after the closure of a yearlong test run by HackerOne of bug bounties made with a few dozen volunteer companies from the defense industrial base.
Bug bounties moved into the mainstream over the past decade, particularly as major technology companies, including Google, Facebook and Microsoft, have set up programs to accept unsolicited reports from outside researchers.
HackerOne’s stance is that money isn’t the overriding motivation for all hackers. A 2021 company survey concluded that while bounties motivate about three-quarters of hackers, more than 8 in 10 say they also participate in bounty programs to expand their skills. More than 6 in 10 say bounties help advance their careers.