Ethical hackers found 31 vulnerabilities – one rated critical while nine got a high severity rating – during the Pentagon’s Hack the Proxy program on the HackerOne platform.
Although the Sept. 3-18 initiative was eighth version of the bug bounty program, it was the first “focused on securing content intermediaries for publicly accessible proxy servers owned by the government,” the Defense Department said in a statement. Around 81 hackers participated in the program, which paid out $33,750 to those who uncovered valid bugs. A single hacker based in the U.S. snagged $16,000 of the bounty.
“USCYBERCOM continuously advances defensive operations. Validating capabilities, closing previously unknown vulnerabilities, and enforcing standards improve our ability to conduct multi-domain military operations,” U.S. Cyber Command’s Directorate of Operations Master Sergeant Michael Methven said in a release. “Hack the Proxy is an important approach that leverages crowd-sourced talent for an outside-in view of our vulnerabilities. At little cost, we identify and mitigate vulnerabilities more effectively, making the Department’s networks more resilient and securing our data from malicious cyber actors.”
HackerOne CEO Marten Mickos praised the Defense Department for embracing “hacker-powered security with open arms by consistently collaborating with hackers worldwide to help them find areas where they can be vulnerable to attack” since 2016.
“Each initiative has not only bolstered the DoD’s cybersecurity posture, but also served as an example of how trusting hackers can improve defense system on an ongoing basis,” he said.