The US Department of Defense (DoD) and HackerOne this week announced the results of the Hack US one-week bug bounty challenge that ran from July 4 to July 11, 2022.
Launched by the Chief Digital and Artificial Intelligence Office (CDAO) Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3), the challenge was an extension of DoD’s vulnerability disclosure program (VDP) running on the HackerOne bug bounty platform.
The DoD announced it was offering a total bounty pool of $110,000, representing $75,000 in rewards for submitted vulnerability reports, and $35,000 for bonus awards.
This week, the department said that the entire bounty pool was exhausted. A total of 267 ethical hackers participated in the challenge, 139 of them being new to DoD’s VDP.
In total, the ethical hackers submitted 648 reports during the Hack US event, including 349 actionable reports, the DoD announced.
According to DoD VDP director at DC3 Melissa Vice, many of the submitted reports “could have been critical had they not been identified and remediated during this bug bounty challenge”.
She also pointed out that information disclosure was the most commonly identified vulnerability type during the seven-day event, followed by improper access control and SQL injection.
Vice also said that DoD will use the insights gained during the challenge to address the root cause of these security issues and prevent their malicious exploitation.
“The vulnerabilities discovered by the hacker community during Hack US will offer more air cover on all the assets that help maintain US national security, and insights from reports will help inform how the DoD approaches identifying future threats,” HackerOne co-founder and CTO Alex Rice said.
Related: DoD Announces Results of Vulnerability Disclosure Program for Defense Contractors
Related: California Man Convicted for Stealing Millions From DoD via Phishing Scheme
Related: Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year