Bug bounty challenge surfaces DOD proxy weaknesses
HackerOne, the crowdsourced security platform provider, announced the results of Defense Department's eighth bug-bounty program. Unlike previous challenges that focused public-facing websites and some sensitive systems, Hack the Proxy focused on finding vulnerabilities in intermediaries -- the external touchpoints to the DOD information network such as proxies, virtual private networks and virtual desktops -- that could be used by adversaries to surveil internal information.
The program -- a partnership among the Defense Digital Service, U.S. Cyber Command and HackerOne -- wrapped up Sept. 18, with 81 participating hackers from around the world submitting 31 valid vulnerabilities. Over a two-week period, hackers from the U.S., India, Turkey, Ukraine, and Canada scoured hundreds of public-facing government proxy servers to find and disclose potential problems. Of the vulnerabilities reported through the challenge, nine were considered “high severity,” one was considered “critical” and the remaining 21 were “medium/low severity”.
DOD awarded $33,750 to hackers for their efforts, with the highest single “bounty” being $5,000. The top bug bounty hunter was a U.S.-based white hat hacker who earned a total of $16,000.
“Hack the Proxy is an important approach that leverages crowd-sourced talent for an outside-in view of our vulnerabilities," said MSgt. Michael Methven at Cyber Command’s Directorate of Operations. "At little cost, we identify and mitigate vulnerabilities more effectively, making the Department’s networks more resilient and securing our data from malicious cyber actors.”
On Oct. 10, the Army and HackerOne announced the second iteration of Hack the Army, a month-long the bug bounty challenge focusing on 60 publicly accessible web assets.
“Opening up the Army’s cyber terrain to the hacker community is exactly the type of outside-the-box, partnership approach we need to take to rapidly harden and better defend our most foundational weapons system: the Army network,” said Lt. Gen. Stephen Fogarty, Army Cyber Command Commanding General.
The Hack the Proxy Challenge is Defense Digital Service's latest security initiative with HackerOne. Since the first challenge in 2016, more than 10,000 vulnerabilities have been disclosed and resolved in government systems, company officials said. Challenges have included Hack the Pentagon, Hack the Army, Hack the Air Force, Hack the Air Force 2.0, Hack the Defense Travel System, Hack the Air Force 3.0 and Hack the Marine Corps.
Connect with the GCN staff on Twitter @GCNtech.