The Army has been hacked -- and is happy about it

Shutterstock image.

In November of 2016, the Army asked to be hacked, and 371 individuals answered the call. According to newly published results of the program, the participants submitted 416 bug reports.

The first “Hack the Army” bug bounty challenge concluded in December, and organizers HackerOne said that of the participants who entered, 179 successfully submitted at least one bug.  Of those, 118 turned out to be discrete, actionable vulnerabilities.

HackerOne has paid out roughly $100,000 in prize money for the effort so far.

The bounty program was the second administered by HackerOne in partnership with the Defense Digital Service. Last year, the team ran the Hack the Pentagon competition that attracted some 1,400 participants and surfaced 138 actionable bugs.

While the Pentagon bug bounty challenge focused on public sites with static data, the Army program asked hackers to rifle through dynamic sites focused on the Army’s recruiting programs.

“This is dynamic content, this is where we're gathering personal information from people who want to join the Army and people who are in the Army, and we want to make sure that that information is secure,” said the now-former Army Secretary Eric Fanning when announcing the bounty.

Another evolution in the Army bounty program is that it was open to government employees, and 25 participated, with 17 of them being military personnel.

According to HackerOne’s blog post about the bounty program, the most “significant vulnerability” was actually a series of chained vulnerabilities.

“A researcher could move from a public facing website,, and get to an internal DOD website that requires special credentials to access,” the post said. “They got there through an open proxy…and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system.”

According to HackerOne, the Army quickly locked down the vulnerability.

Going forward, the Pentagon won’t have to rely on formal bounty programs to find bugs in its public sites. In late November, DOD announced a vulnerability disclosure program that provides a legal framework for hackers to find and report bugs in designated DOD sites.

That program was developed in consultation with the Department of Justice and was described by former Secretary of Defense Ash Carter as a “'see something, say something' policy for the digital domain."

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.