The Army has been hacked -- and is happy about it
- By Sean D. Carberry
- Jan 20, 2017
In November of 2016, the Army asked to be hacked, and 371 individuals answered the call. According to newly published results of the program, the participants submitted 416 bug reports.
The first “Hack the Army” bug bounty challenge concluded in December, and organizers HackerOne said that of the participants who entered, 179 successfully submitted at least one bug. Of those, 118 turned out to be discrete, actionable vulnerabilities.
HackerOne has paid out roughly $100,000 in prize money for the effort so far.
The bounty program was the second administered by HackerOne in partnership with the Defense Digital Service. Last year, the team ran the Hack the Pentagon competition that attracted some 1,400 participants and surfaced 138 actionable bugs.
While the Pentagon bug bounty challenge focused on public sites with static data, the Army program asked hackers to rifle through dynamic sites focused on the Army’s recruiting programs.
“This is dynamic content, this is where we're gathering personal information from people who want to join the Army and people who are in the Army, and we want to make sure that that information is secure,” said the now-former Army Secretary Eric Fanning when announcing the bounty.
Another evolution in the Army bounty program is that it was open to government employees, and 25 participated, with 17 of them being military personnel.
According to HackerOne’s blog post about the bounty program, the most “significant vulnerability” was actually a series of chained vulnerabilities.
“A researcher could move from a public facing website, goarmy.com, and get to an internal DOD website that requires special credentials to access,” the post said. “They got there through an open proxy…and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system.”
According to HackerOne, the Army quickly locked down the vulnerability.
Going forward, the Pentagon won’t have to rely on formal bounty programs to find bugs in its public sites. In late November, DOD announced a vulnerability disclosure program that provides a legal framework for hackers to find and report bugs in designated DOD sites.
That program was developed in consultation with the Department of Justice and was described by former Secretary of Defense Ash Carter as a “'see something, say something' policy for the digital domain."
Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.