The Defense Digital Services (DDS) group is tasked with pioneering private sector solutions to solve some of the Department of Defense’s most complex problems.
And pioneers they are.
Back in November, the U.S. Army coordinated with the DDS to launch its first ever bug bounty challenge: https://hackerone.com/hackthearmy. The largest branch of the U.S. military welcomed hacker registration, expanding its security efforts in an unprecedented way.
It’s a recognition that bug bounties and vulnerability disclosure policies create a legal avenue to disclose vulnerabilities, providing a method for hackers to employ their skills for good.
Background of Hack The Army
The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant websites including those mission critical to recruiting – and to that we say “Hooah!”
A few of the primary objectives of the Hack the Army bug bounty program:
- The Army is “putting their money where our mouth is” and building bridges to the private sector and talented Hackers;
- Tap into the reservoir of diverse talent of rock star hackers on HackerOne (many of whom would otherwise not work with the Army);
- Augment the incredible work the Army red teams and DDS workforce is already doing to help secure their systems and networks.
- Increase the security of mission-oriented systems and networks that house information critical to military recruiting
The Overall Results
The Hack the Army Bug Bounty program ran from Wednesday, November 30, 2016 to Wednesday, December 21, 2016.
The preliminary results show the program was a success!
Hack The Army Results
- Total registered eligible participants was 371 (eligible and invited to the program).
- Of those who participated 25 were government employees including 17 military personnel.
- The first vulnerability was reported within five minutes of program launch!
- The researchers submitted 416 reports, of them approximately 118 were unique and actionable.
- Total bounties paid to Hackers to date are estimated to be around $100K (bounties are still being awarded).
A Story of One of The Best Bugs
The most significant vulnerability found through this exercise was due to a series of chained vulnerabilities.
A researcher could move from a public facing website, goarmy.com, and get to and internal DoD website that requires special credentials to access. They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system.
On its own, neither vulnerability is particularly interesting, but when you pair them together, it’s actually very serious.
Automation alone is rarely capable of such leaps of logic. It requires a highly skilled workforce to chain together a number of independent flaws to understand the complexities of what could be something critical.
The Army remediation team that own and operate the websites, as well as the Army Cyber Protection Brigade, acted fast. Once the report was submitted, they were able to block any further attacks, and ensure there was no way to exploit the chain of vulnerabilities.
Superior Bug Bounty Hunters
While bug bounties are a way for the DoD to tap into private sector talent, sometimes the rock stars are already within their ranks. One of the researchers that participated is an Army Captain presently in school at Army’s Cyber Center of Excellence at Fort Gordon, Georgia.
In addition to having a full-time job and family, this officer registered for Hack the Army to get real, operational hands on training in addition to his extensive schooling. This exemplary individual went above and beyond to invest in his country and his career as a superior cyber operator.
The Next Chapter
The success of the Army bug bounty pilot program, coupled with the prior work on Hack The Pentagon, we’d suggest keeping your eyes peeled for more upcoming exciting news!
PS – Just a reminder that any Hackers who become aware of vulnerabilities can disclose them to DoD on HackerOne.