Jan. 26, 2017

Preliminary results are in for what has been billed as the “most ambitious federal bug bounty program to date.” “Hack the Army,” launched in November, invited outside experts to help identify vulnerabilities in Army computer systems.

A total of 371 registered participants—including 17 service members—logged 416 reports of potential vulnerabilities in the systems they were allowed to probe, according to HackerOne, a security consulting firm under Pentagon contract. Some 118 of those reports were later validated as actionable by the Army.

Bounties paid so far to Hack the Army participants total about $100,000, with more still being awarded.

Army officials have called Hack the Army an effort to find new ways of doing business in an ever-evolving technological landscape that often moves at a faster clip than the military can keep pace with.

From Nov. 30 through Dec. 21, Hack the Army invited members of the public, U.S. government civilians and even active-duty troops to register and test their hacking skills by trying to break into a defined list of Army websites and databases considered critical to the service’s recruiting mission. The goal was to identify gaps and holes with an eye toward enhancing security.

The most significant actionable report involved a series of “chained vulnerabilities,” HackerOne reported. Starting at the public website goarmy.com, a bounty hunter was able to get to an internal DoD site that requires special credentials to access. The gateway was an “open proxy,” meaning the routing between the two sites wasn’t closed off as it should have been.

“On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious,” a HackerOne statement said.

“Bringing in creative hackers from a wide variety of backgrounds can fundamentally improve the way we protect our soldiers and secure our systems,” said Chris Lynch, head of the Defense Digital Service, which partnered with the Army on its “bug hunt.”