Header Ads

White Hat Hackers uncovered 138 Bugs in U.S Defense Systems bug bounty program

The "Hack the Pentagon" bug bounty program by the United States Department of Defense (DoD) has been successful with more than 100 vulnerabilities uncovered by white hat hackers in Pentagon infrastructure.

HackerOne’s Department of Defense (DoD) “Hack the Pentagon” pilot--the first ever U.S. Government commercial Bug Bounty program.

In March, the Defense Department launched what it calls "the first cyber Bug Bounty Program in the history of the federal government," inviting hackers to take up the challenge of finding bugs in its networks and public faced websites that are registered under DoD.

Around 1,400 whitehat (ethical) hackers participated in the Hack the Pentagon program and were awarded up to $15,000 for disclosures of the most destructive vulnerabilities in DoDs networks, Defense Secretary Ashton Carter said at a technology forum on Friday.

"They are helping us to be more secure at a fraction of the cost," Carter said. "And in a way that enlists the brilliance of the white hatters, rather than waits to learn the lessons of the black hatters."

The Hack the Pentagon program, hosted on bug bounty platform HackerOne, was opened between April 18 and May 12, 2016. All participants were required to qualify a background check.
Although hackers and bug hunters were permitted to hack the agency's web properties, critical and highly sensitive systems of the Pentagon were out of bounds for the bounty program.

When the Hack the Pentagon was initially announced in March, Carter said he believed this effort would "strengthen our digital defenses and ultimately enhance our national security."

Program Overview Statistics
  •     Total registered participants: 1,410
  •     Total reports submitted: 1,189
  •     Unique valid reports: 138
  •     Average bounty amount: $588
  •     Total bounties paid: $71,200

The most common vulnerability type reported was Cross-Site Scripting (XSS), followed by Information Disclosure and Cross-Site Request Forgery (CSRF).

The most severe vulnerability submitted and the highest awarded was a SQL Injection.

source: HackerOne

No comments

blogmytuts. Powered by Blogger.