View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Hackers Find 65 Bugs in Department of Defense System

White hat programme continues to grow

By CBR Staff Writer

A US government bug bounty programme that rewards hackers for identifying vulnerabilities in its systems this week paid out $78,650 (£59,000) for 65 valid unique vulnerabilities.

The crowd-sourced security initiative “Hack the DTS” saw nineteen hackers participate in the challenge — reporting 28 high or critical level vulnerabilities across the Pentagon’s travel system.

Reina Staley, Chief of Staff and Hack the Pentagon program manager at Defense Digital Service said in release: “No system is infallible, and this assessment was the first time we employed a crowd-sourced approach to improve the security aspect of DTS.”

She added: “We’d like to thank the participating hackers for contributing their time to help us safeguard sensitive information.”

The programme is led by hacker-powered security platform HackerOne and targets the Defense Travel System, an enterprise system relied on by millions of DoD employees.

“0day? What 0day?” Credit: Department of Defense (Senior Airman Luke Kitterman)

3,000 Vulnerabilities Found So Far

More than 3,000 vulnerabilities have been resolved in government systems since the Hack the Pentagon crowd-sourced security programme with HackerOne launched in 2016.

Jack Messer, project lead at Defense Manpower Data Center (DMDC) added: “DTS is relied on by DoD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical.”

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

He added: “The ‘Hack the DTS’ challenge helped uncover vulnerabilities we wouldn’t have found otherwise, complementing the great work DMDC is already doing to protect critical enterprise systems and the people those systems serve.”

Chris Wallis, founder of Intruder, the continuous security monitoring platform, told Computer Business Review: “It’s great to see Government agencies engaging with bug bounty programmes, and become more secure as a result. Bug bounties are a superb addition to regular and structured testing, although they shouldn’t be considered a replacement.”

He added: “Operating any scheme on a no-win no-fee basis will attract the most skilled to the highest payouts. Smaller businesses should be wary not to sign up to these programmes and think they are ‘fully covered’, as there’s no guarantee anyone is watching them while the crowd’s best hackers are being invited to hack the Pentagon!”

The first Hack the Pentagon bug bounty challenge ran in May 2016. It identified 138 valid vulnerabilities.

Hack the Army in December 2016 surfaced 118 valid vulnerabilities and paid $100,000. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000 for their contributions.

The second Hack the Air Force resulted in 106 valid vulnerabilities surfaced and $103,883 paid to hackers.

Hack the DTS is fifth in an ongoing series with the Pentagon’s Defense Digital Service that aims to deepen engagement with the ethical hacking community.

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU