A recent program inviting the public to hack around 200 public-facing Marine Corps websites uncovered over 150 valid vulnerabilities, according to an Oct. 3 Defense Digital Service announcement.
“Hack the Marine Corps was an incredibly valuable experience. When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal,” said Maj. Gen. Matthew Glavy, commander of the U.S. Marine Corps Forces Cyberspace Command, in the news release.
“What we learn from this program assists the Marine Corps in improving our war-fighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives. The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities.”
The program, which kicked off Aug. 12 alongside the Black Hat USA, DefCon and BSides conferences in Las Vegas, ran through Aug. 26 and offered cash prizes for vulnerabilities found.
Participants uncovered vulnerabilities garnering a total of $151,542 in payouts and the program itself only cost the Marine Corps $350,000, rather than the millions it would have taken to run a contracted security assessment.
“It was great having the opportunity to work side-by-side with the Marines to help secure their assets,” said Tanner Emek, one of the participating hackers, in the news release. “These are my favorite types of programs to be a part of, because they allow me to have a massive impact on systems critical to national security.”
During the program, a group of three hackers were able to exploit a vulnerability and gain access to Marine Corps personnel-related records, and they ultimately split one of the single largest payouts of the event at $10,000.
“It was an honor to work on the Marine Corps program. This opportunity to help improve the security of the armed forces was not only fun, but it made me feel proud to give back. Working alongside the Marine Corps in-person felt like we were all on the same team,” said Nathanial Lattimer, an ethical hacker participant and security engineer at Dropbox, in the news release.
Hack the Marine Corps is the eleventh bug bounty program run by the Department of Defense, after the Defense Digital Service kicked off the trend with its successful Hack the Pentagon program in 2016.
Prior programs have resulted in over 600 resolved vulnerabilities with approximately $500,000 awarded to participating hackers.
Hacker One, which facilitated the Hack the Pentagon program, as well as previous bug bounties, also hosts an ongoing vulnerability disclosure program for DoD, so that hackers who become aware of vulnerabilities after the bug bounty program closes still have an avenue for safely reporting the problems.