The Army has been hacked -- and is happy about it

Shutterstock image.

In November of 2016, the Army asked to be hacked, and 371 individuals answered the call. According to newly published results of the program, the participants submitted 416 bug reports.

The first “Hack the Army” bug bounty challenge concluded in December, and organizers HackerOne said that of the participants who entered, 179 successfully submitted at least one bug.  Of those, 118 turned out to be discrete, actionable vulnerabilities.

HackerOne has paid out roughly $100,000 in prize money for the effort so far.

The bounty program was the second administered by HackerOne in partnership with the Defense Digital Service. Last year, the team ran the Hack the Pentagon competition that attracted some 1,400 participants and surfaced 138 actionable bugs.

While the Pentagon bug bounty challenge focused on public sites with static data, the Army program asked hackers to rifle through dynamic sites focused on the Army’s recruiting programs.

“This is dynamic content, this is where we're gathering personal information from people who want to join the Army and people who are in the Army, and we want to make sure that that information is secure,” said the now-former Army Secretary Eric Fanning when announcing the bounty.

Another evolution in the Army bounty program is that it was open to government employees, and 25 participated, with 17 of them being military personnel.

According to HackerOne’s blog post about the bounty program, the most “significant vulnerability” was actually a series of chained vulnerabilities.

“A researcher could move from a public facing website,, and get to an internal DOD website that requires special credentials to access,” the post said. “They got there through an open proxy…and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system.”

According to HackerOne, the Army quickly locked down the vulnerability.

Going forward, the Pentagon won’t have to rely on formal bounty programs to find bugs in its public sites. In late November, DOD announced a vulnerability disclosure program that provides a legal framework for hackers to find and report bugs in designated DOD sites.

That program was developed in consultation with the Department of Justice and was described by former Secretary of Defense Ash Carter as a “'see something, say something' policy for the digital domain."

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.