Hackers earn $275,000 in ‘bug bounties’ after finding security flaws on Army websites
By JOHN VANDIVER | STARS AND STRIPES Published: January 17, 2020
The Army paid “bug bounty” hackers more than $275,000 for detecting vulnerabilities in popular military websites, which defense officials say is a step toward creating a more secure cyberspace.
The Defense Department, in coordination with the Defense Digital Service and the cybersecurity group HackerOne, announced earlier this week the winners of “Hack the Army 2.0,” which allows hackers to probe for security flaws.
The competition, which ended in November, targeted more than 60 publicly accessible web assets, including army.mil, goarmy.mil and the Arlington Cemetery website.
Fifty-two hackers from around the world reported 146 vulnerabilities over a five-week span, the event sponsors said in a joint statement Wednesday.
“Hackers from the U.S., Canada, Romania, Portugal, Netherlands, and Germany participated, with the first vulnerability being reported within four hours of the program launching,” the statement said.
The top individual payout was $20,000.
“Participation from hackers is key in helping the Department of Defense boost its security practices beyond basic compliance checklists to get to real security,” Alex Romero, digital service expert at the Defense Digital Service, said in a statement. “With each Hack the Army challenge, our team has strengthened its security posture.”
The military has been sponsoring bug bounties for several years in connection with heightened concerns about vulnerabilities.
The threat posed by hackers goes well beyond publicly accessed military web sites. A 2018 GAO report said cyberweaknesses are widespread and can affect real-world missions.
“DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development,” the GAO report said.
Part of the difficulty in strengthening defenses is the Pentagon’s problem with recruiting and retaining highly skilled experts, whose talents earn top dollar in the private sector, the GAO said.
The aim of the competition is to disclose vulnerabilities to security teams so they can better secure digital assets.
The second-place finisher in the competition, identified as @alyssa_herrera, said Defense Department programs “are some of my favorites to hack on.”
“It is so exciting to know that the vulnerabilities I find go towards strengthening Army defenses to protect millions of people,” the hacker said.
The other top winners were identified as @erbbysam and @cdl.
This was the second “Hack the Army” challenge and the ninth time that HackerOne has run a competition with the Defense Department.