The Department of Defense recently ran a bug bounty program dubbed ‘Hack the Marine Corps’, a challenge focused on the Corps’ public-facing websites and services. The event was jointly created by the Department of Defense and HackerOne, vulnerability disclosure company based out of Las Vegas on the heels of the annual Black Hat and DEF CON conferences.
“Hack the Marine Corps allows us to leverage the talents of the global ethical hacker community to take an honest, hard look at our current cybersecurity posture,” said Maj. Gen. Matthew Glavy, Commander, US Marine Corps Forces Cyberspace Command in a statement. “What we learn from this program will assist the Marine Corps in improving our warfighting platform, the Marine Corps Enterprise Network. Working with the ethical hacker community provides us with a large return on investment to identify and mitigate current critical vulnerabilities, reduce attack surfaces, and minimize future vulnerabilities. It will make us more combat ready.”
The nine-hour program paid out $80,000 in prizes to the researchers for discovering 75 unique vulnerabilities. The researchers are also allowed to report any flaws they find through the HackerOne-managed Marine Corps vulnerability disclosure program until August 26, 2018, but without earning a prize.
The CEO of HackerOne Martin Mickos stated that HackerOne and the Marines would not reveal the details of the newly found vulnerabilities, which included usual website flaw suspects, authentication flaws, and cross-site scripting. “The key goal of these live hacking events is to have this collegial and social [atmosphere], although it’s also a competition,” Mickos said. “They may give advice … ‘don’t go there, look here.”