Pentagon bug bounty program turns up nearly 350 vulnerabilities
Image: David B. Gleason
Martin Matishak September 29, 2022

Pentagon bug bounty program turns up nearly 350 vulnerabilities

Martin Matishak

September 29, 2022

Pentagon bug bounty program turns up nearly 350 vulnerabilities

White hat hackers uncovered almost 350 vulnerabilities inside the Defense Department’s networks during a week-long bug bounty program held earlier this year, according to the initiative’s organizers.

Nearly 270 researchers participated in the effort, called “Hack U.S.”, which offered financial rewards for sniffing out critical- and high-level vulnerabilities in systems operated by the Pentagon. 

Competitors submitted 648 reports, within the scope of the DoD’s vulnerability disclosure program (VDP), to bug bounty platform HackerOne and the department agencies overseeing the pilot program between July 4 and July 11. Of those, 349 were deemed “actionable” — paying out $75,000 in total bounties and another $35,000 in bonuses and awards.

“In just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge,” Melissa Vice, the VDP director, said in a statement.

“This bounty challenge shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner,” she added.

The department launched its first bug bounty, dubbed “Hack the Pentagon,” in 2016. The practice has since proliferated to include specific chunks of DoD’s various systems, the military branches and the Homeland Security Department.

Vice said an initial evaluation of the program’s results found that the most commonly identified vulnerability was categorized as “information disclosure.”

“With the identification of vulnerability trends, we can seek out patterns of detection and ultimately create new processes and system checks to ensure we address the root cause and develop further mitigations against malicious actors who might try to exploit our systems,” she said.

Other top flaws discovered through the effort included improper access and generic SQL injection.

“We have to make sure we stay two steps ahead of any malicious actor,” Katie Olson Savage, deputy chief digital and artificial intelligence officer and Defense Digital Service director, said in a statement. “This crowd-sourced security approach is a key step to identifying and closing potential gaps in our attack surface.”

Alex Rice, HackerOne’s co-founder and chief technology officer, praised the department, saying it “has long since recognized the benefits of working with hackers as an additional layer of protection for their digital assets.”

He said the vulnerabilities unearthed by the latest competition “will offer more air cover on all the assets that help maintain U.S. national security, and insights from reports will help inform how the DOD approaches identifying future threats.”

Martin is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.