The U.S. Army on Thursday shared the outcome of its first bug bounty, which concluded a three-week trial on Dec. 21, calling the program a success.
The Hack The Army bounty, announced last fall, was the second such government rewards program, debuting months after the conclusion of the Hack the Pentagon bounty. Government officials positioned both programs as a vehicle for outreach to white-hat hackers and researchers, inviting a select number to participate and try to penetrate online properties and databases normally off-limits.
“The Army is reaching out directly to a group of technologies and researchers who are trained in figuring out how to break into computer networks they’re not supposed to; people we normally would have avoided,” said former Secretary of the Army Eric Fanning in announcing Hack the Army in November.
Yesterday, the Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000. The Army added that 371 people were invited to take part, 25 of which were government employees including 17 from the military.
The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.
“They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system,” said a post published on HackerOne, which managed the two bounty programs on its platform. “On its own, neither vulnerability is particularly interesting, but when you pair them together, it’s actually very serious.”
The post goes on to tout the importance of skilled people looking for security issues rather than relying solely on automated systems to root out vulnerabilities. The Army, meanwhile, said it addressed the two vulnerabilities, which can no longer be used in concert to attack the site and the internal DoD site.
The Hack the Army bounty was open to private sector researchers, as well as to researchers from the military and government. It was launched on the success of Hack the Pentagon, which ran for 24 days in April, resulted in 138 vulnerabilities being patched, and paid researchers from a pool of $150,000.
“We recognize we cannot continue to do business the way that we are, and that we’re not agile enough to keep up with things that are happening in the tech world,” Fanning said in November. “There are people all over the world trying to get access to our sites, our data, our information. We have very well trained, capable teams in the military and the Department of Defense, but it’s not enough.”