Through partnership with the Defense Digital Service, the U.S. Department of Defense (DoD) and HackerOne today announced the results of the Department’s eighth bug bounty program, Hack the Proxy with HackerOne. This program, sponsored by U.S. Cyber Command, focused on content intermediaries, such as proxies, VPNs, and virtual desktops with the intent to find places where the many external DODIN touchpoints might be used by adversaries to surveil information that is internal to the network. Eighty-one participating hackers from around the world submitted 31 valid vulnerabilities through from September 3 to September 18, 2019. The Department of Defense awarded $33,750 to hackers for their efforts, with the highest single monetary award or “bounty” being $5,000.
“USCYBERCOM continuously advances defensive operations. Validating capabilities, closing previously unknown vulnerabilities, and enforcing standards improve our ability to conduct multi-domain military operations,” said MSgt Michael Methven at U.S. Cyber Command’s Directorate of Operations. “Hack the Proxy is an important approach that leverages crowd-sourced talent for an outside-in view of our vulnerabilities. At little cost, we identify and mitigate vulnerabilities more effectively, making the Department’s networks more resilient and securing our data from malicious cyber actors.”
Over the two-week period, hackers from the U.S., India, Turkey, Ukraine, and Canada were invited to scour hundreds of public-facing proxy servers owned by the government to find and disclose vulnerabilities. The top bug bounty hunter was a U.S.-based white hat hacker who earned a total of $16,000, almost half the total awarded bounties. Of the vulnerabilities reported through the challenge on HackerOne, nine were considered “high severity”, one was considered “critical” and the remaining 21 were “medium/low severity”.
“With each new initiative, the Department of Defense further bolsters its cyber defenses against rogue enemy actors thanks to white hat hackers from across the globe,” said Alex Romero, Digital Service Expert at the Department of Defense Defense Digital Service. “As our adversaries become more sophisticated in their tactics, we must stay one step ahead to protect our citizens and defense systems. HackerOne’s global community of vetted hackers have helped us discover and remediate vulnerabilities that represent real risk to national security.”
The Hack the Proxy Challenge is the latest program within the DoD’s Defense Digital Service ongoing hacker-powered security initiatives with HackerOne dating back to 2016. Since then, more than 10,000 vulnerabilities have been disclosed and resolved in government systems, with programs including Hack the Pentagon, Hack the Army, Hack the Air Force, Hack the Air Force 2.0, Hack the Defense Travel System, Hack the Air Force 3.0 and Hack the Marine Corps. Hack the Proxy was the first initiative focused on securing content intermediaries for publicly accessible proxy servers owned by the government. Participation in the bug bounty challenge was open to individuals based in the United States and Foreign Nationals. U.S. government active military members and contractor personnel were also eligible to participate, but not eligible for financial rewards.
“Since 2016, the DoD has embraced hacker-powered security with open arms by consistently collaborating with hackers worldwide to help them find areas where they can be vulnerable to attack,” said Marten Mickos, CEO at HackerOne. “Each initiative has not only bolstered the DoD’s cybersecurity posture, but also served as an example of how trusting hackers can improve defense system on an ongoing basis.”
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. With over 1,500 customer programs, including The U.S. Department of Defense, General Motors, Google, Goldman Sachs, PayPal, Hyatt, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, HackerOne has helped to find over 130,000 vulnerabilities and award over $67M in bug bounties to a growing community of 500,000 hackers. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, France and Singapore.