The Defense Department is finding out just how vulnerable its contractor’s networks are after the completion of a year-long bug bounty program.
Over one year, the hackers probed 41 companies and found more than 400 vulnerabilities that needed mitigation.
“DoD Cyber Crime Center’s DoD Vulnerability Disclosure Program has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks,” said Melissa Vice, interim director of the Vulnerability Disclosure Program. “The pilot intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared defense industrial base company assets with potential risks for critical infrastructure and U.S. supply chain.”
The pilot originally launched with 14 companies and 141 assets and expanded to 41 businesses and 348 assets.
The companies voluntarily joined the bug bounty-like program and agreed to have HackerOne, an organization of ethical hackers, look for holes.
The pilot is the biggest look into the vulnerability of DoD’s industrial base. That is becoming especially important now that the military is concerned about the strength of its supply chain that the businesses it relies on for equipment and services.
For six years, the Defense Department has put a target on its back and voluntarily told hackers to have at it with certain systems through bug bounties and hackathons.
Last year, it expanded that tactic to all of its publicly accessible Defense information systems including public networks, internet of things, industrial control systems, frequency-based communication and more.
The growth signaled success in using contractors and white-hat hackers as a means of bettering the military’s cybersecurity.
“The DoD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems,” said former Director of the Defense Digital Service Brett Goldstein said last year.
The original program focused on more benign areas of the Pentagon’s networks like front-facing websites.
During the hackathons and bug bounty competitions, DoD offered cash rewards to hackers that could penetrate their systems. The first ever bug bounty contest found 138 vulnerabilities.
The first vulnerability report arrived seven minutes after the contest started, and 1,410 pro and amateur hackers from 44 states wound up making 1,189 reports of security problems during the three-week program.
The military services and other Defense agencies have followed suit in creating their own competitions.
White-hat hackers found 54 vulnerabilities in the Air Force’s Cloud One in 2019. The environment uses Amazon Web Services and Microsoft Azure to host the Air Force portal and more than 100 other applications used by airmen every day.
Since the creation of bug bounties and hackathons, DoD has caught more than 40,000 vulnerabilities.