The Department of Defense handed out approximately $100,000 in rewards.
And you thought hacking the Pentagon was easy: The US Army last week revealed details of its first bug bounty program.
The four-week Hack the Army scheme generated 416 vulnerability reports (nearly 30 percent of which are unique and actionable) and approximately $100,000 for security researchers and bug hunters.
The most significant flaw—as reported by HackerOne, a security consulting firm under contract with the Pentagon—was uncovered due to a series of chained vulnerabilities that unwittingly took a hacker from the public-facing goarmy.com site to an internal Department of Defense page usually requiring special credentials to access.
“On its own, neither vulnerability is particularly interesting, but when you pair them together, it’s actually very serious,” HackerOne explained.
The Army remediation team and Army Cyber Protection Brigade stepped in to patch the hole.
“We’re not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense,” former Army Secretary Eric Fanning said in the November announcement about Hack the Army. “We’re looking for new ways of doing business.”
The DoD experimented with a similar program last spring, when it invited white-hat hackers and researchers to infiltrate the Pentagon; 138 established vulnerabilities cost the federal government some $150,000—money well spent, the agency said in June.
“What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation’s security, but lack a legal avenue to do so,” Fanning said.
But unlike Hack the Pentagon, which offered static websites not considered targets, Hack the Army provided sites considered critical to its recruiting mission, according to HackerOne.
“Crowdsourcing is really the only way to get the dynamic skills you need that a static workforce can’t get you,” Lisa Wiswell of the DoD’s Defense Digital Service, said in a statement last fall.
More than 370 people participated in hacking the largest branch of the US Armed Forces—including 25 government employees, 17 of whom are military personnel.