138 security flaws in US defense websites uncovered in Hack the Pentagon

Results are in from the US Department of Defense’s (DoD’s) pilot “Hack the Pentagon” bug bounty initiative. Top civilian brass say they’re thrilled: going forward, US hackers should expect more opportunities to make an honest buck by uncovering new security vulnerabilities in America’s defense infrastructure.

From 18 April to 12 May, DoD invited US hackers to register for a shot at cash bounties available to those who identified vulnerabilities on defense.gov and four additional public-facing websites: dodlive.mil, dvidshub.net, myafn.net and dimoc.mil.

The official stats, just reported: 1,410 eligible hackers enrolled. Registrants came from 44 US states, and expatriate US citizens joined from the UK, Germany, Japan, and beyond. Of the registrants, more than 250 sent at least one vulnerability report. Of which, “138 were determined to be legitimate, unique and eligible for a bounty” – and, by now, these vulnerabilities have all been addressed.

According to the Associated Press, one hacker earned the government’s top prize of $15,000 for submitting multiple vulnerabilities; other awards ranged all the way down to $100. Site security flaws started arriving just 13 minutes after the program went live; nearly 200 reports arrived in the first six hours.

Per DoD’s partner, HackerOne,:

SQL Injection issue was the most severe and earned $3,500; the highest individual bounty. Cross-Site Scripting issues were the most common, as is the case in most bug bounty programs, and Information Disclosure was the second most common.

Total program cost: $150,000, with roughly half paid in reward bounties. A bargain, says the feds:

Hiring an outside contractor to conduct a similar security test could have cost more than $1 million.

Hack the Pentagon was the brainchild of a recently launched DoD agency, the Defense Digital Service (DDS). Its director, Chris Lynch, is a long-time tech startup founder and executive who hopped over from the White House tech team that helped clean up after the healthcare.gov debacle.

DDS emphasized that its pilot program only focused on public sites, not “critical, mission-facing computer systems.” Someday, says Lynch, that could change:

What we want to figure out is how we can use this [on] nearly any level of classification, or any type of activity. We’re not there yet… [but] we recognize that this is a really valuable tool.

Three more follow-on initiatives are already underway.

First: development of a vulnerability disclosure process and policy for DoD so anyone with information about vulnerabilities in DoD systems, networks, applications, or websites can submit it, without fear of prosecution.

Second: development of a standard contract that can be used to expand bug bounty programs across DoD, especially to the “Services” – e.g., Army, Navy, Marines, and Air Force.

Third: new incentives for DoD contractors to “open their own systems for testing – especially DoD source code.”

The program has proved popular so far according to US Defense Secretary Ash Carter:

We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks… What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference – hackers who want to help keep our people and nation safer.