December 7, 2022
Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Endpoint Security Department Paid $110,000 in Rewards for Submitted Vulnerability Reports Prajeet Nair (@prajeetspeaks) • October 1, 2022     The U.S. Department of Defense uncovered almost 350 vulnerabilities in the department's networks as part of its experimental bug bounty program launched on American…

Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Endpoint Security

Department Paid $110,000 in Rewards for Submitted Vulnerability Reports Prajeet Nair (@prajeetspeaks) • October 1, 2022    

The U.S. Department of Defense uncovered almost 350 vulnerabilities in the department’s networks as part of its experimental bug bounty program launched on American Independence Day.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

The week-long bug bounty challenge that ran from July 4 to July 11 was launched by the Chief Digital and Artificial Intelligence Office, Directorate for Digital Services, DoD Cyber Crime Center and the vulnerability disclosure partner HackerOne, a private firm with a platform that enables researchers to submit information about vulnerabilities and then receive cash rewards for their disclosures.

While announcing the results, HackerOne, the vulnerability disclosure partner, says DoD gained critical insights into how the hacker community competes for prizes with an end goal of strengthening the security of the hundreds of thousands of assets in the DoD scope.

Key Findings

Around 270 ethical hackers submitted 648 vulnerability reports under the DoD’s vulnerability disclosure program, which includes several critical vulnerabilities that were remediated during the bug bounty challenge, with 350 “actionable” reports.

As part of the program, “Hack U.S.” the DoD paid a total of $75,000 in rewards for submitted vulnerability reports and $35,000 for bonus awards.

“In just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge. This (…) shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner,” says Melissa Vice, the VDP director.

Vice says that the initial evaluation of Hack U.S. reporting results uncovered the most commonly identified vulnerability was categorized as “Information Disclosure.”

“With the identification of vulnerability trends, we can seek out patterns of detection and ultimately create new processes and system checks to ensure we address the root cause and develop further mitigations against malicious actors who might try to exploit our systems,” Vice says.

Other top flaws included Improper Access Control – Generic and SQL Injection. An improper access control weakness describes when software fails to restrict access to a resource from an unauthorized actor and an SQL injection is a common web hacking technique.

“We have to make sure we stay two steps ahead of any malicious actor. This crowd-sourced security approach is a key step to identifying and closing potential gaps in our attack surface,” says Katie Savage, deputy chief digital and artificial intelligence officer at Defense Digital Service.

Hack The Pentagon

The Pentagon has tinkered since 2016 with accepting vulnerability reports from security researchers, recently crediting researchers with the closure of more than 6,000 vulnerabilities on public internet-facing military IT systems during 2021, alone.

The “Hack the Pentagon” program was launched in 2016 to encourage ethical hackers and security researchers to find flaws in public-facing Defense Department applications and websites. The program is overseen by the DOD Cyber Crime Center (see: ‘Hack the Pentagon’ Program Expands).

The July 2022 announcement came shortly after the closure of a yearlong test run by HackerOne of bug bounties made with a few dozen volunteer companies from the defense industrial base.

Bug bounties moved into the mainstream over the past decade, particularly as major technology companies, including Google, Facebook and Microsoft, have set up programs to accept unsolicited reports from outside researchers.

HackerOne’s stance is that money isn’t the overriding motivation for all hackers. A recent company survey concluded that while bounties motivate about three-quarters of hackers, more than 8 in 10 say they also participate in bounty programs to expand their skills. More than 6 in 10 say bounties help advance their careers.

Source