The US Department of Defense (DoD) has paid out $110,000 in bounties and bonuses to ethical hackers who discovered 349 "actionable" vulnerabilities on its networks.
As The Record reports, the vulnerabilities were discovered at a week-long "Hack U.S." event held in July through a partnership with Hackerone. It tasked so-called white hat (ethical) hackers with finding "High" and "Critical" severity vulnerabilities on any publicly accessible information systems, including web property or data owned, operated, or controlled by the DoD.
In total, 349 actionable vulnerabilities were discovered, leading to the DoD paying out $75,000 in bounties. A further $35,000 was paid out in bonuses and awards.
Melissa Vice, the Vulnerability Disclosure Program director, said in a statement, "in just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge ... This bounty challenge shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner."
Hack U.S. is just the latest successful bug bounty program run to discover vulnerabilities and make the US government's networks more secure. It all started back in 2016 with the launch of a "Hack the Pentagon" program, which discovered 138 problems.
Katie Olson Savage, deputy chief digital and artificial intelligence officer and Defense Digital Service director, said "this crowd-sourced security approach is a key step to identifying and closing potential gaps in our attack surface." We should therefore expect another DoD bug bounty to run in 2023.