The pentagon has compensated more than $275,000 for “bug bounty” hackers to find bugs on common military networks, which defense officials claim is a move toward developing a safer Web.
The Defense Department announced earlier in the week, in collaboration with the Defense Digital Service and the HackerOne cyber security community, the winners of “Hack the Army 2.0,” which helps hackers to find security flaws.
More than 60 publicly available site properties, including army.mil, goarmy.mil and Arlington Cemetery, were covered by the competition, which concluded in November.
In a joint statement, fifty-two hackers from around the world recorded 146 flaws over five weeks.
“Hackers from the U.S., Canada, Romania, Portugal, Netherlands, and Germany participated, with the first vulnerability being reported within four hours of the program launching,” the statement said.
“Participation from hackers is key in helping the Department of Defense boost its security practices beyond basic compliance checklists to get to real security,” Alex Romero, digital service expert at the Defense Digital Service, said in a statement. “With each Hack the Army challenge, our team has strengthened its security posture.”
For several years, the military funds bug bounties in conjunction with heightened security issues.
The top individual payout was $20,000.
The threat posed by hackers goes far beyond military websites freely exposed. A GAO study over 2018 reported that cyber flaws are common and can affect actual operations.
The concern with the hiring and retaining of highly skilled professionals whose skills receive top dollars in the private sector is part of the challenge in improving defenses, the GAO said.
The program aims to expose flaws to security teams, so that digital assets can be properly protected.
“It is so exciting to know that the vulnerabilities I find go towards strengthening Army defenses to protect millions of people,” the hacker said.
The first Hack the Army campaign was initiated in 2016 and 371 individuals, including government and military officials, participated. 118 vulnerability reports were considered valid and bug bounty payments totally $100,000.