Bug bounty event

Paid Bug Hunt Reveals Hundreds of Vulnerabilities in Department of Defense Networks

A challenge offering cash rewards to ethical hackers who can identify as many vulnerabilities in Department of Defense networks as possible has uncovered 90 “unique high and critical vulnerabilities,” the Chief Digital and Artificial Intelligence Office revealed. The Hack U.S. program, which began on July 4 and ends on July 11, also led to the discovery of 78 other possible vulnerabilities that need to be examined further, FedScoop reported Friday.

The bug hunt, which the DOD conducted with cybersecurity company HackerOne, earmarked $110,000 in rewards for hackers who can point out weaknesses in the defense agency’s networks. The initiative marked the first time the agency offered to pay those who can spot vulnerabilities in its scope of assets, according to CDAO spokesperson Kathleen Clark.

Clark said that an additional 111 unique vulnerabilities that were not severe enough for a payout were also pinpointed. She added that because only critical and high vulnerabilities that could severely limit the confidentiality, availability or integrity of a system were eligible for a bounty, participating hackers worked towards “big-game bug hunting.”

For her part, Katie Olson Savage, deputy chief digital and artificial intelligence officer and Defense Digital Service director, said that the week-long effort has proven to be a step in the right direction given the robust response and the disclosure of critical vulnerabilities. She added that Hack U.S. has managed to attract top talent to help improve the DOD’s cybersecurity posture.