The Pentagon Opened Up to Hackers - And Fixed Thousands of Bugs

[DooKey]

Over the last couple of years the Pentagon has been offering bounties to people that submit vulnerabilities and one hacker made a total of $15K by reporting multiple bugs. This worked out great for the DoD, but people kept submitting bugs after the various bug bounties were over. What they've decided to do now is have an open-ended Vulnerabilities Disclosure Policy that doesn't offer rewards, but will legally allow people to submit bugs any time related to public-facing websites and web applications owned by DoD. Over the last year 650 people have submitted almost 3,000 unique, valid vulnerabilities. Who says the DoD can't learn new tricks?

That newfound acceptance has spread. Over the last year, DoD has also run a few private bug bounties on more sensitive systems through the penetration testing firm Synack, which was awarded a contract to focus on assessing internal platforms. And outside the Department, the General Services Administration and Department of Homeland Security are both working on bug bounties as well.

 

[katanaD]

i guess we should blame the russians for this??

*snickers*

 

[Ultima99]

Who says the DoD can't learn new tricks?

It's our government, there's a ton they don't know...

 

[__hollywood|meow]

color me shocked. turns out the govt is comprised of otherwise regular people, & theyre not always the best at their jobs. theyre just who got hired...

 

[Dead Parrot]

Wonder if the folks that turn vulnerabilities in that are verified get some kind of certificate or other proof of what they did? Especially the ones that turn stuff in outside the bug bounty window? I would think that having a few "I hacked the Pentagon" certificates might be worth some credit when pursuing a job with a cyber security firm.

 

[RayderR6]

IDK whether to say the DoD is on its way to becoming "opensource" or just realizing they're in "beta testing"

 

[krotch]

Wonder if the folks that turn vulnerabilities in that are verified get some kind of certificate or other proof of what they did? Especially the ones that turn stuff in outside the bug bounty window? I would think that having a few "I hacked the Pentagon" certificates might be worth some credit when pursuing a job with a cyber security firm.

That's what I was thinking. Some might simply want credit. Like make a page of "Bug 1 was discovered by H@ckx00rs, Bug 2 was discovered by An@|intrud3r" or something. You'd probably eventually have people fighting against each other to discover the most bugs.