A US government bug bounty programme that rewards hackers for identifying vulnerabilities in its systems this week paid out $78,650 (£59,000) for 65 valid unique vulnerabilities.
The crowd-sourced security initiative “Hack the DTS” saw nineteen hackers participate in the challenge — reporting 28 high or critical level vulnerabilities across the Pentagon’s travel system.
Reina Staley, Chief of Staff and Hack the Pentagon program manager at Defense Digital Service said in release: “No system is infallible, and this assessment was the first time we employed a crowd-sourced approach to improve the security aspect of DTS.”
She added: “We’d like to thank the participating hackers for contributing their time to help us safeguard sensitive information.”
The programme is led by hacker-powered security platform HackerOne and targets the Defense Travel System, an enterprise system relied on by millions of DoD employees.
“0day? What 0day?” Credit: Department of Defense (Senior Airman Luke Kitterman)
3,000 Vulnerabilities Found So Far
More than 3,000 vulnerabilities have been resolved in government systems since the Hack the Pentagon crowd-sourced security programme with HackerOne launched in 2016.
Jack Messer, project lead at Defense Manpower Data Center (DMDC) added: “DTS is relied on by DoD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical.”
Content from our partners
He added: “The ‘Hack the DTS’ challenge helped uncover vulnerabilities we wouldn’t have found otherwise, complementing the great work DMDC is already doing to protect critical enterprise systems and the people those systems serve.”
Chris Wallis, founder of Intruder, the continuous security monitoring platform, told Computer Business Review: “It’s great to see Government agencies engaging with bug bounty programmes, and become more secure as a result. Bug bounties are a superb addition to regular and structured testing, although they shouldn’t be considered a replacement.”
He added: “Operating any scheme on a no-win no-fee basis will attract the most skilled to the highest payouts. Smaller businesses should be wary not to sign up to these programmes and think they are ‘fully covered’, as there’s no guarantee anyone is watching them while the crowd’s best hackers are being invited to hack the Pentagon!”
The first Hack the Pentagon bug bounty challenge ran in May 2016. It identified 138 valid vulnerabilities.
Hack the Army in December 2016 surfaced 118 valid vulnerabilities and paid $100,000. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000 for their contributions.
The second Hack the Air Force resulted in 106 valid vulnerabilities surfaced and $103,883 paid to hackers.
Hack the DTS is fifth in an ongoing series with the Pentagon’s Defense Digital Service that aims to deepen engagement with the ethical hacking community.
