"Hack the Pentagon" Program Results - 138 vulnerabilities / DoD pays out $150K

[Jim K Global Moderator]

Quote

WASHINGTON, June 17, 2016 — Cracking open his laptop between classes as he finished up his senior year in high school, 18-year-old David Dworken was on an important mission for the Pentagon, according to Defense Secretary Ash Carter.

 

Dworken was among the more than 1,400 hackers invited to take part in the first bug bounty program for the federal government, Carter said today at an event in which he was joined by Dworken and others involved in the "Hack the Pentagon" pilot program.

 

More than 250 participants submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be "legitimate, unique and eligible for a bounty," Carter said.

 

The pilot program, which ran from April 18 to May 12, cost $150,000, Carter said.

 

/snip

 

Lessons Learned

The pilot program was conducted against publicly available websites, according to Chris Lynch, the director of the Defense Digital Service, the DoD agency that led the program. Mission critical systems were not involved, he pointed out.

 

He said they were looking for vulnerabilities that would allow someone to gain access to a system through a current user or allow a hacker to maliciously gain access to other networks or other systems.

 

"Even though it was a public set of websites, there's a lot that we can learn from even what seemed to be fairly simple publicly accessible sites," Lynch said.

 

The program targeted five public-facing websites: defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil, according to a DoD spokesman.

 

The payouts ranged from about $100, all the way up to $15,000 to a participant who had multiple submissions, according to Lisa Wiswell, with the Defense Digital Service.

 

/snip

More at the U.S. Department of Defense