Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:45 PM
Connect Directly

US Army Challenges Security Researchers To 'Bring It On'

Army to offer cash rewards to bug hunters who find security vulnerabilities in its recruiting sites and database systems that have ties to the Army's core operational systems.

The US Army Wants You. To hack into its computer systems, that is.

Inspired by the success of the nearly month-long “Hack the Pentagon” pilot program earlier this year, the US Army has announced a new bug bounty program in collaboration with HackerOne.

The “Hack the Army” initiative is similar to the Pentagon’s program in that it will give eligible white hat hackers a way to earn cash rewards for finding vulnerabilities in specified Army computing systems.

The goal is to try and strengthen Army cybersecurity measures by having independent security researchers and professional bug hunters take a crack at them, Secretary of the Army Eric Fanning announced at a press conference late Friday.

“The Army is reaching out directly to a group of technologists and researchers who trade in figuring out how to break into computer networks they are not supposed to,” Fanning said.

Typically, the inclination has been to avoid contact with such people, Fanning said. “Here, we are not just meeting them face-to-face, we are challenging them,” he said. "Take your best shot. Bring it on.”

Over the next few weeks, HackerOne will invite a group of security researchers and bug hunters to participate in the Army challenge. Unlike the Hack the Pentagon effort, the Army’s bug bounty program will be open to properly registered active duty military personnel and employees from civilian government agencies. The Army has secured all the necessary legal approvals to enable this participation, Fanning said.

The full list of Army websites and databases that bug hunters will be allowed to take a crack at under the program will be announced later. But Fanning described them as vital to the Army’s day-to-day recruiting mission.

Unlike the static websites in the Hack the Pentagon program, all eligible systems in the Hack the Army challenge host dynamic content and have deep ties to the Army’s core operational systems, he said.

“What Hack the Pentagon validated is that there are a large number of technologists and innovators who want to make a contribution to our nation’s security but lack an avenue for doing so.”

Hack the Army is only the second-ever bug bounty program from the U.S. federal government.

The 24-day Hack the Pentagon program between April 18 and May 12 this year was its first-ever and resulted in a total of 138 bugs being detected and resolved in the Pentagon’s systems.

The first bug submission to the program came just 13 minutes after the challenge was formally issued. It grew to nearly 200 submissions in six hours. Over the entire duration of the program, researchers submitted bug disclosures at the rate of nearly one every 30 minutes.

According to HackerOne, which managed that program as well, a total of 1,410 bug hunters registered with it for a chance to try and discover vulnerabilities in the Pentagon’s systems. Of that number, 250 were successful in finding vulnerabilities of which 138 were found to be legitimate and eligible for a cash bounty.

Payouts under the Pentagon pilot range from $100 to $15,000 to one individual with multiple successful bug submissions. HackerOne said it paid a total of $75,000 in big bounties under Hack the Pentagon.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).