Considering the nature of its work, it’s no surprise that the Pentagon is of huge interest to hackers, whether state sponsored or pajama wearing (OK, they could be one and the same).
Keen to beef up its cyber security to keep unwelcome visitors at bay, the Department of Defense (DoD) recently launched its first-ever bug bounty program, aptly named “Hack the Pentagon.”
Such schemes are pretty common these days, with companies like Google and Facebook inviting so-called “white hat” hackers – those doing it to help rather than cause havoc – to probe their online systems for vulnerabilities.
Set up by the DoD in partnership with HackerOne, a Silicon Valley firm that offers bug bounty services, Hack the Pentagon drew upon the skills of 1,410 white-hat hackers, with the first vulnerability report filed just 13 minutes after the challenge started.
Running for just under a month up until May 12 and focusing on five of its public-facing websites, the DoD’s program turned up a whopping 138 security vulnerabilities deemed “valid and unique,” officials revealed over the weekend. And yes, they’ve already been closed to prevent future trouble.
As a reward for their work, the defense department shared out a bounty worth around $75,000 among the hackers.
Having found so many vulnerabilities, it’s little surprise that the DoD deemed the exercise a success. And, perhaps startled that so many flaws were surfaced, it’s decided to extend the program. Starting this month, its three-pronged approach will include a “vulnerability disclosure process and policy” for the defense department so anyone with information about security weaknesses in its systems, networks, applications, and websites can submit details “without fear of prosecution.”
It also includes incentives in its acquisition policies to encourage greater transparency among contractors, and finally, it’ll expand the bug bounty programs to other parts of the department.
The Pentagon revealed in 2009 it’d spent more than $100 million in a six-month period dealing with damage caused by “daily” cyber attacks on its networks, with the intrusions carried out by everyone from “the bored teenager all the way up to the sophisticated nation-state, with some pretty criminal elements sandwiched in between,” an official said at the time.