Cyber Command’s bug bounty program uncovers more than 30 vulnerabilities

Written by

Ethical hackers have found nine “high severity” vulnerabilities and one “critical” vulnerability across Department of Defense proxies, virtual private networks, and virtual desktops through the “Hack the Proxy,” bug bounty program, the Department of Defense’s Defense Digital Service and HackerOne announced Monday.

In addition to the high severity and critical vulnerabilities uncovered, “Hack the Proxy” found 21 “medium” or “low severity” vulnerabilities. Defense Digital Service and HackerOne spokespeople did not immediately return requests for comment on what kinds of vulnerabilities constitute as “high severity,” “critical,” or “medium/low severity.”

The bug bounty program, sponsored by U.S. Cyber Command, zeroed in on finding vulnerabilities external to the Department of Defense Information Network that could enable foreign hackers to watch internal affairs at the Pentagon.

This comes just a week after the National Security Agency issued an alert warning that multiple nation-state adversaries have been exploiting VPN vulnerabilities in Pulse Secure and Fortinet products, products which Chinese hackers known as “Manganese” or APT5 are known to have targeted in the past.

Maj. Sgt. Michael Methven at Cyber Command’s Directorate of Operations said in a statement this program helps the Department of Defense ensure its networks are more resilient against attacks emanating from malicious actors, noting that “validating capabilities, closing previously unknown vulnerabilities, and enforcing standards improve[s] our ability to conduct multi-domain military operations.”

While discussing multi-domain operations — operations meant to link air, sea, land, space, and cyber activities to better meet adversary threats against the U.S. — the Secretary of the U.S. Army, Ryan McCarthy, noted in remarks Monday that he thinks U.S. adversaries are one step ahead of the Pentagon right now.

“U.S. adversaries are operating largely uncontested in space and cyberspace,” McCarthy said while delivering remarks at the Association of the U.S. Army summit in Washington.

“As our adversaries become more sophisticated in their tactics, we must stay one step ahead to protect our citizens and defense systems,” said Alex Romero, Digital Service Expert at the Department of Defense Defense Digital Service. “HackerOne’s global community of vetted hackers have helped us discover and remediate vulnerabilities that represent real risk to national security.”

Harnessing the talents of 81 hackers from the U.S., Ukraine, Turkey, India, and Canada, the bug bounty program ran for two weeks early last month. It was the Department of Defense’s eighth bug bounty program since the Pentagon began its partnership with HackerOne three years ago. The top bug bounty hunter, based in the U.S., received an award of $16,000. In all, hackers involved in the operation were awarded $33,750.

Just last week, HackerOne announced a bug bounty program with the Pentagon focused on the U.S. Army, which it previously partnered with in 2016.