15 June 2021

‘Hack The Army’ Uncovers 238 Cyber Vulnerabilities

By BRAD D. WILLIAMS

The bug bounty event, which began in January and ran for six weeks, invited military and civilian security researchers to find vulnerabilities within a limited time frame. This allows the Army to proactively fix the prospective cyber targets, ideally before a bad guy can exploit them.

For perspective, Hack the Pentagon found 138 unique, validated vulnerabilities in 2017, Hack The Army found 118 late fall, and Hack the Air Force found 207, according to a story Sydney did on the program.

“We cannot afford a ‘next time we will do better’ mentality. I strongly believe a proactive approach is critical, which means finding potential problems and addressing them before they are realized,” said the Defense Digital Service’s Maya Kuang, who participated.

This year’s event included 40 military and civilian participants. Eligible civilian security researchers received more than $150,000 in total bounty payouts.

The event marked the eleventh overall coordinated by DDS and HackerOne, a platform where security researchers can post information on cybersecurity vulnerabilities they discover across a range of products and services.

“It’s always interesting to see what vulnerabilities and weaknesses are hiding in plain sight,” said Johann R. Wallace, compliance division chief at Army Network Enterprise Technology Command. “Hack the Army does a tremendous job of exposing content and coding errors that our normal compliance-based scanning had overlooked. Just because a system is patched doesn’t mean that it’s secure… As we like to tell our users: ‘Someone is going to pen test (penetration test) your servers – better to have it be someone we’re paying’.”

There were 11 assets in scope for this year’s event, mostly online domain targets of specific Army interest, as well as sign-on/authentication services and Army-owned virtual private networks (VPNs).

The entire army.mil domain was also fair game, but only certain categories of vulnerabilities netted a bounty payment.

No comments: