Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



DoD Announces Final Results of ‘Hack US’ Bug Bounty Program

The US Department of Defense (DoD) and HackerOne this week announced the results of the Hack US one-week bug bounty challenge that ran from July 4 to July 11, 2022.

The US Department of Defense (DoD) and HackerOne this week announced the results of the Hack US one-week bug bounty challenge that ran from July 4 to July 11, 2022.

Launched by the Chief Digital and Artificial Intelligence Office (CDAO) Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3), the challenge was an extension of DoD’s vulnerability disclosure program (VDP) running on the HackerOne bug bounty platform.

The DoD announced it was offering a total bounty pool of $110,000, representing $75,000 in rewards for submitted vulnerability reports, and $35,000 for bonus awards.

This week, the department said that the entire bounty pool was exhausted. A total of 267 ethical hackers participated in the challenge, 139 of them being new to DoD’s VDP.

In total, the ethical hackers submitted 648 reports during the Hack US event, including 349 actionable reports, the DoD announced.

According to DoD VDP director at DC3 Melissa Vice, many of the submitted reports “could have been critical had they not been identified and remediated during this bug bounty challenge”.

She also pointed out that information disclosure was the most commonly identified vulnerability type during the seven-day event, followed by improper access control and SQL injection.

Advertisement. Scroll to continue reading.

Vice also said that DoD will use the insights gained during the challenge to address the root cause of these security issues and prevent their malicious exploitation.

“The vulnerabilities discovered by the hacker community during Hack US will offer more air cover on all the assets that help maintain US national security, and insights from reports will help inform how the DoD approaches identifying future threats,” HackerOne co-founder and CTO Alex Rice said.

Related: DoD Announces Results of Vulnerability Disclosure Program for Defense Contractors

Related: California Man Convicted for Stealing Millions From DoD via Phishing Scheme

Related: Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.