Connect with us

Hi, what are you looking for?


Management & Strategy

Hackers Helped Pentagon Patch Thousands of Flaws

Bug bounty programs and a vulnerability disclosure policy have helped the U.S. Department of Defense patch thousands of security holes in its systems.

Bug bounty programs and a vulnerability disclosure policy have helped the U.S. Department of Defense patch thousands of security holes in its systems.

Nearly one year after it announced its vulnerability disclosure policy, the Pentagon received 2,837 valid bug reports from roughly 650 white hat hackers located in 50 countries around the world, according to HackerOne, the platform used by the organization to host its projects.

More than 100 of the flaws reported to the Pentagon through its vulnerability disclosure program have been rated critical or high severity. Weaknesses, found in nearly 40 DoD components, include remote code execution, SQL injection, and authentication bypass issues.

A majority of the reports were submitted by researchers from the United States, followed by India, the U.K., Pakistan, Philippines, Egypt, Russia, France, Australia and Canada.

The DoD vulnerability disclosure program does not offer any monetary rewards – it only provides a channel for reporting security holes without the fear of potential legal consequences.

However, the Pentagon’s cybersecurity initiatives also include several bug bounty programs that offered monetary rewards. Researchers who took part in these challenges earned more than $300,000 for almost 500 flaws discovered in the organization’s public-facing systems. On the other hand, the government estimated that it saved millions of dollars by running these bug bounty programs.

The first initiative was Hack the Pentagon, which received 138 valid submissions and paid out roughly $75,000. Next were Hack the Army which paid out approximately $100,000 for 118 valid reports, and Hack the Air Force, which earned participants $130,000 for 207 valid reports.

Advertisement. Scroll to continue reading.

Following the success of “Hack the Pentagon,” several bug bounty programs and related initiatives were announced by U.S. government organizations and lawmakers.

The General Services Administration (GSA) has launched a bug bounty program that offers rewards ranging between $300 and $5,000, and the Internal Revenue Service (IRS) announced a $2 million contract with security testing firm Synack for help in securing its online presence.

The Department of Justice (DoJ) has created a framework designed to help organizations develop formal vulnerability disclosure programs.

As for legislation, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 will require companies that provide Internet-connected devices to the government to have a vulnerability disclosure policy. Senators also announced the Hack Department of Homeland Security (DHS) Act, which aims to establish a bug bounty pilot program within the DHS.

Related: Expert Hacks Internal DoD Network via Army Website

Related: Pentagon to Launch More Bug Bounty Programs

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.