The Department of Defense’s latest bug bounty program exposed more than 100 security vulnerabilities worth $80,000 to the hackers who looked through the department’s travel booking system, officials said.
HackerOne, a company that has supported bug bounty programs for the Air Force, Army and the Pentagon at large, ran Hack the DTS (Defense Travel System), which lasted 29 days and concluded April 29, 2018.
DTS is used by millions of Pentagon employees around the world making it one of the wide-reaching pieces of enterprise software in the U.S. government.
“Securing sensitive information for millions of government employees and contractors is no easy task,” Reina Staley, Chief of Staff and Hack the Pentagon program manager at Defense Digital Service, said in a statement. “No system is infallible, and this assessment was the first time we employed a crowd-sourced approach to improve the security aspect of DTS.”
Just 19 vetted hackers took part in the program. They found 65 unique vulnerabilities including 28 ranking high or critical in severity. The highest bounty was $5,000 paid out eight times. It was the second such program to allow social engineering as part of the search for bugs.
Programs like this happen frequently now and vary in size. Three months ago, a similar Hack the Air Force program paid out $103,883 in bounties to freelance hackers for 106 vulnerabilities found over a 20-day period.
The Pentagon’s growing love of bug bounty programs has helped the industry’s rapid growth across companies like HackerOne, BugCrowd and Synack.