Ethical hackers discovered around 150 security vulnerabilities in US Marine Corp websites and related services, taking home nearly $150,000 in cash rewards during an elaborate bug-hunting program.
The US Department of Defense (DoD), in collaboration with HackerOne, recently hosted the DoD’s sixth bug-hunting program, dubbed “Hack The Marine Corps”. The bug bounty program attracted over 100 ethical hackers. The three-week-long program saw a pair of hackers split a $10,000 reward, which is the highest payout so far.
Bug bounty programs are contests that offer cash rewards to ethical hackers who can ferret out vulnerabilities that could otherwise allow cybercriminals to exploit an organization’s website or networks.
Hack The Marine Corps saw security researchers working alongside the US Marine Corps Cyberspace Command team.
“I will never forget having a two-star General looking over the shoulder of hackers while they dug deeper into a Marine Corps site with permission and oversight from the Marine Corps team. Experiences like these are incredibly valuable to the organizations, and for the hackers who rarely get that type of opportunity to dive deeper,” Luke Tucker, Sr. Director of Community at HackerOne, said in a statement.
“What we learn from this program assists the Marine Corps in improving our warfighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical diverse perspectives,” Major General Matthew Glavy, Commander of U.S. Marine Corps Forces Cyberspace Command said. “The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities.”
HackerOne and the DoD first launched the first bug bounty program - “Hack the Pentagon” - in 2016. Since then there have been other bug hunting programs such as Hack the Army, Hack the Air Force, Hack the Air Force 2.0 and Hack the Defense Travel System, before the latest Hack The Marine Corps program.
Collectively, these programs have led to the discovery of over 5,000 vulnerabilities in US government systems. While the bug bounty program is over, ethical hackers who discover newer vulnerabilities can disclose them using the DoD's ongoing vulnerability disclosure program with HackerOne.