Bug Bounty Program Uncovers 100+ Vulnerabilities in Pentagon’s Public Websites

Over 100 vulnerabilities affecting the Pentagon’s computer networks have been uncovered by white hat hackers who participated in the U.S. Government’s “Hack the Pentagon” bug bounty program, according to Defense Secretary Ashton Carter.

Last March, the U.S. Department of Defense (DoD) through the Defense Digital Service announced the program—the first commercial one by the federal government—and invited 1,400 vetted hackers to break into the Pentagon’s public websites in order to test their security. The initiative was modeled after similar initiatives organized by large enterprises to help them detect security flaws in their networks before black hats and other cybercriminals can exploit them. Pentagon’s program ran from April 18th and wrapped up last May 12th. 

The program was launched amid recent mishaps and security incidents involving government-run online infrastructure, along with a history of launching buggy websites. In February, the Department of Homeland Security suffered a data breach that leaked the credentials of 9,000 of its employees, and risked the exposure of personally identifiable information of 20,000 FBI employees. The Internal Revenue Service’s (IRS) Get Transcript tool, which allowed taxpayers to download their records directly from the IRS website, was exploited by cybercriminals and stole sensitive information from 724,000 people. 

The websites of the Office of Personnel Management, the DoD’s Defense Contract Management Agency, state-run health insurance exchanges in California, Kentucky and Vermont, National Weather Service, National Institutes of Health and Homeland Security as well as .gov domains managed by the Office of Citizen Services and Innovative Technology have also been exposed to information theft, SQL injection and cross site scripting vulnerabilities, weak password encryption, phishing scam, unvalidated redirects and forwards, and spam. There was also the infamous healthcare.gov website and its slew of technical problems when it was launched. Incentivizing hackers to find vulnerabilities before they can be leveraged by cybercriminals helps DoD nip security issues in the bud.  

[Read: Zero-Day Vulnerabilities 101] 

The continuous increase in cyberattacks worldwide, an ever-evolving cybercrime landscape, the benefits of further strengthening an organization’s online infrastructure and promotion of mutually rewarding relationships in the cybersecurity community are driving bug bounty programs to grow in scope and volume. 

Within a span of few years, bug bounty programs have become more than just a novelty for enterprises, especially those looking to capitalize on the skills of an organized pool of security experts aside from their own. Google, for instance, paid over $2 million in 2015 to security researchers who found security flaws in its systems and services, including the Android OS. Google has also started issuing research grants to encourage more people to look for vulnerabilities in its networks. 

Facebook has been reported to have paid over $4.3 million in bounties since launching its program in 2011—with one bug hunter alone rewarded with $15,000—while Twitter has spent $322,420 since launching its own program in 2014, with one  security expert paid $54,000 for all his submissions. 

Yahoo! reported that it has paid more than $1.6 million to network vulnerability reporters, with 2,200 out of 12,000 submissions resulting in a bounty payout. United Airlines has awarded two security researchers one million air miles each after discovering 14 vulnerabilities, including remote code execution bugs, in their web security and online assets. Microsoft has just recently expanded its bug bounty programs, offering to pay as much as $100,000 for disclosing ‘novel exploitation techniques’ against security built into the company’s latest OS.  Instagram, GitHub, Uber, Adobe, Mozilla and the Tor Project are just some of enterprises actively encouraging white hat hackers to participate in their own bug bounty programs. 

By the end of the month, the DoD is expected to pay around 90 program participants who found the security flaws, with bounties ranging from $100 to $15,000. DoD spokesperson Mark Wright told news portal DefenseNews that depending on the program’s success, it may consider a second run—and may even expand to cover more of the agency’s assets, according to Corey Harrison of DoD’s Defense Digital Service.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.