Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Hackers Helped Pentagon Patch Thousands of Flaws

Bug bounty programs and a vulnerability disclosure policy have helped the U.S. Department of Defense patch thousands of security holes in its systems.

Bug bounty programs and a vulnerability disclosure policy have helped the U.S. Department of Defense patch thousands of security holes in its systems.

Nearly one year after it announced its vulnerability disclosure policy, the Pentagon received 2,837 valid bug reports from roughly 650 white hat hackers located in 50 countries around the world, according to HackerOne, the platform used by the organization to host its projects.

More than 100 of the flaws reported to the Pentagon through its vulnerability disclosure program have been rated critical or high severity. Weaknesses, found in nearly 40 DoD components, include remote code execution, SQL injection, and authentication bypass issues.

A majority of the reports were submitted by researchers from the United States, followed by India, the U.K., Pakistan, Philippines, Egypt, Russia, France, Australia and Canada.

The DoD vulnerability disclosure program does not offer any monetary rewards – it only provides a channel for reporting security holes without the fear of potential legal consequences.

However, the Pentagon’s cybersecurity initiatives also include several bug bounty programs that offered monetary rewards. Researchers who took part in these challenges earned more than $300,000 for almost 500 flaws discovered in the organization’s public-facing systems. On the other hand, the government estimated that it saved millions of dollars by running these bug bounty programs.

The first initiative was Hack the Pentagon, which received 138 valid submissions and paid out roughly $75,000. Next were Hack the Army which paid out approximately $100,000 for 118 valid reports, and Hack the Air Force, which earned participants $130,000 for 207 valid reports.

Following the success of “Hack the Pentagon,” several bug bounty programs and related initiatives were announced by U.S. government organizations and lawmakers.

The General Services Administration (GSA) has launched a bug bounty program that offers rewards ranging between $300 and $5,000, and the Internal Revenue Service (IRS) announced a $2 million contract with security testing firm Synack for help in securing its online presence.

The Department of Justice (DoJ) has created a framework designed to help organizations develop formal vulnerability disclosure programs.

As for legislation, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 will require companies that provide Internet-connected devices to the government to have a vulnerability disclosure policy. Senators also announced the Hack Department of Homeland Security (DHS) Act, which aims to establish a bug bounty pilot program within the DHS.

Related: Expert Hacks Internal DoD Network via Army Website

Related: Pentagon to Launch More Bug Bounty Programs

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.