An eighth iteration of the Pentagon’s bug bounty program discovered a critical vulnerability in Department of Defense systems.
HackerOne, the ethical hacking company partnered with the DoD for penetration testing, announced Oct. 14 it completed the Pentagon’s “Hack the Proxy” program, which allowed white hat hackers to probe the department’s Virtual Private Networks, virtual desktops and proxies.
The hackers found 31 vulnerabilities. Nine were considered “high severity" and 21 were “medium/low severity." The release did not offer any additional details on the critical vulnerability found. Last year, an Army secure file sharing site was taken offline because a critical vulnerability was found through a similar disclosure program.
The goal was to find “find places where the many external DoDIN [Department of Defense Information Network] touchpoints might be used by adversaries to surveil information that is internal to the network.”
"Validating capabilities, closing previously unknown vulnerabilities, and enforcing standards improve our ability to conduct multidomain military operations,” said Master Sgt. Michael Methven at U.S. Cyber Command’s Directorate of Operations. “Hack the Proxy is an important approach that leverages crowd-sourced talent for an outside-in view of our vulnerabilities. At little cost, we identify and mitigate vulnerabilities more effectively, making the Department’s networks more resilient and securing our data from malicious cyber actors.”
The Pentagon doled out $33,750 to hackers who submitted valid vulnerabilities between Sept. 3-18. In total, 81 hackers from across the world participated. The biggest prize was $5,000. One U.S.-based hacker won $16,000, nearly half the purse.
“With each new initiative, the Department of Defense further bolsters its cyber defenses against rogue enemy actors thanks to white hat hackers from across the globe,” said Alex Romero, digital service expert at the Department of Defense Defense Digital Service. “As our adversaries become more sophisticated in their tactics, we must stay one step ahead to protect our citizens and defense systems."
The “Hack the Proxy" program, sponsored by U.S. Cyber Command is a partnership between the DoD, Defense Digital Service and HackerOne. HackerOne leads several ethical hacking events with various Pentagon components, including several iterations of hacking the military services and Pentagon as a whole.
Hack the Proxy was the first bug bounty focused on find vulnerabilities in government-owned, publicly accessible proxy servers. HackerOne disclosure programs, which started in 2016, have discovered over 10,000 vulnerabilities.
"The DoD has embraced hacker-powered security with open arms by consistently collaborating with hackers worldwide to help them find areas where they can be vulnerable to attack,” said Marten Mickos, CEO of HackerOne. “Each initiative has not only bolstered the DoD’s cybersecurity posture, but also served as an example of how trusting hackers can improve defense system on an ongoing basis.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.