"Hack the Army" program finds 118 unique and actionable vulnerabilities
WASHINGTON. Officials released the results of the latest Department of Defense (DoD) bug bounty program, termed "Hack the Army": The three-week scheme found 118 unique and actionable reports; the first vulnerability was found within five minutes of the launch of the program.
The objectives of the bug bounty program -- coordinated by the DoD, the Pentagon's Defense Digital Services (DDS) group, and DoD contractor HackerOne -- included continuing to bridge the gap between the private sector and hackers, continuing the work begun by the Army's "red team" hackers and the DDS workforce to secure government computer systems and networks, and increasing the security of the military's mission-oriented systems and networks.
During the program, 371 eligible participants found 118 unique and actionable vulnerabilities; among the hackers, 25 were government employees, 17 of which were military personnel. HackerOne paid an estimated $100,000 to the hackers.
A HackerOne blog about the event details: "The most significant vulnerability found through this exercise was due to a series of chained vulnerabilities. A researcher could move from a public-facing website, goarmy.com, and get to an internal DoD website that requires special credentials to access. They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system."
To read the complete HackerOne blog: Hack the Army Results Are In
Read more on cybersecurity:
Cybersecurity simulation and training collaboration forged by SAIC, root9B
Cybersecurity for U.S. power grid contracts won by Raytheon
U.S. Navy selects SAIC to provide support for C4 and Cyber program