The annual Hack The Army event found 238 vulnerabilities, 102 being critical security gaps that needed immediate fixing, event organizers disclosed Thursday.
This year’s “Hack The Army 3.0,” organized in January 2021 for six week, involved 40 “top-tier” security researcher from both military and civilian backgrounds, testing a range of assets to find security flaws. It is the 11th Hack the Army event, which is a bug bounty program modeled off a practice common in the private sector of paying security researchers when they find vulnerabilities. The Army paid out more than $150,000 to civilians that participated.
Hack the Army is part of Hack the Pentagon, which is a series of bug bounty challenges for varying assets and branches of the military run by the Defense Digital Service.
“By inviting skilled hackers to test the US military’s digital assets, the DDS and the US Army demonstrate that hacker-powered security has become a mainstream best practice for organizations requiring continuous security testing,” Alex Rice, HackerOne’s co-founder and chief technology officer, said in a statement. “It’s been an exciting journey to chart the successes of the three Hack The Army initiatives and watching the hacking community help strengthen the nation’s cybersecurity defenses.”
The goal is find security gaps by replicating adversary activity against a network or other part of their domain. The federal government has previously struggled to form close bonds with the so-called “white hat” hackers only mimicking adversaries and prove hackers won’t face any legal jeopardy for their work and they can share their work. DDS also recently expanded their policy on what hackers could do their worst on.Thank
HackerOne and similar platforms act as an intermediary where they host the parts of an organization’s network that are acceptable for hackers to target, so that over-ambitious security researches do not compromise live systems. The use of services such as HackerOne helps to mitigate suspicion in the security community of working with the government.
“We are trying to first be a valuable member of the community,” former assistant secretary of the Air Force for acquisition, technology and logistics, Will Roper, said in May 2020 about the military’s place in the hacker community. To do that, the department will be putting “meaningful activity on the table.”
HackerOne has been trying to capitalize on requirements in 2020 that agencies develop vulnerability disclosure programs. The Cybersecurity and Infrastructure Security Agency (CISA) launched its own bug bounty platform Tuesday.