In less than one month after establishing a bug-bounty program, the US Army has paid out approximately $100,000 in total to researchers.
The first vulnerability was reported within six minutes of the program launch.
The program, facilitated by HackerOne, kicked off 30 November and concluded 21 December. During the three-week program, 179 hackers participated by submitting at least one bug. In all, 416 bugs were submitted, 120 of which were actionable, meaning unique and not duplicates. Resolutions and patches are expected through mid-February 2017.
The most significant vulnerability found through this exercise was due to a series of chained vulnerabilities, according to HackerOne’s breakdown of the results:
“A researcher could move from a public facing website, goarmy.com, and get to an internal DoD website that requires special credentials to access. They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system. On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious.”
The success of the Army bug-bounty pilot program, coupled with the prior work on Hack the Pentagon, will pave the way for further bug-hunting programs in the future, the organizations said.
The Department of Defense in October awarded a contract to HackerOne and fellow bug-bounty platform Synack to create a two-pronged program. The Crowdsourced Security Initiative includes bounties for flaws in public-facing properties, which will continue to be managed by HackerOne; and for those found in mission-critical and sensitive IT assets, which is the larger of the two and will be run by Synack.