Two months after the Marine Corps launched a public bug bounty program to shore up cyber-weaknesses in its websites, the results are in.
Ethical hackers uncovered more than 150 valid vulnerabilities as part of the Hack the Marine Corps competition, netting more than $151,000 in awards during the two-week-long challenge.
“Hack the Marine Corps was an incredibly valuable experience,” Maj. Gen. Matthew Glavy, commander of U.S. Marine Corps Forces Cyberspace Command, said in a Medium post detailing the event. “Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives. The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities.”
Hack the Marine Corps followed in the tradition of the Department of Defense’s 2016 Hack the Pentagon challenge, deploying 105 ethical hackers to discover cyber vulnerabilities across more than 200 public-facing websites.
Hackers were able to uncover a litany of liabilities, including one weakness that allowed a trio of hackers to access “certain records related to Marine Corps personnel.” The discovery earned the group a combined $10,000 payout.
The bug bounty program, the sixth held by a DOD organization to focus on public-facing sites, officially began Aug. 12 with a live hacking session in Las Vegas to coincide with the Black Hat USA, DEF CON and BSides cyber conferences.
In the 10-hour launch session, hackers found 75 valid vulnerabilities, netting more than $80,000 in awards. The program continued through Aug. 26, with one ethical hacker securing $26,900 collectively from the vulnerabilities filed.
As with previous bug bounty programs, the Defense Digital Service partnered with HackerOne to engage ethical hackers and provide them a platform to assess the selected websites.
The bug bounty programs have been largely seen as boons for the DOD, both for the vulnerabilities identified and for the relatively low cost of the competitions.
Officials said Thursday that the Hack the Marine Corps contract cost $350,000 to execute, as opposed to the potential of spending millions on conducting network security assessments.
The DOD has conducted a total of 11 bug bounty programs since the launch of Hack the Pentagon two years ago, including sessions examining the Army, Air Force and Defense Travel Service.