The U.S. Department of Defense (DoD) and HackerOne launched the Department’s sixth bug bounty program, Hack the Marine Corps. The bug bounty challenge will focus on Marine Corps’ public-facing websites and services in order to harden the defenses of the Marine Corps Enterprise Network (MCEN). The bug bounty program will conclude on August 26, 2018.
The Marine Corps’ bug bounty program kicked off with a live-hacking event in Las Vegas, Nev. on August 12, 2018 coinciding with the world’s largest hacker and security conferences, Black Hat USA, DEF CON and BSides Las Vegas. Nearly 100 hand-selected ethical hackers from the global security researcher community participated in nine straight hours of hacking Marine Corps public-facing websites and services for vulnerabilities.
During the launch event, expert security researchers were shoulder-to-shoulder with the Marines from U.S. Marine Corps Cyberspace Command (MARFORCYBER), representing both offensive and defensive cyber teams. Hackers filed 75 unique valid security vulnerability reports during the event and were awarded over $80,000 for helping further secure the MCEN, the Marine Corps’ portion of the DoD Information Network (DoDIN).
“Hack the Marine Corps allows us to leverage the talents of the global ethical hacker community to take an honest, hard look at our current cybersecurity posture. Our Marines need to operate against the best. What we learn from this program will assist the Marine Corps in improving our warfighting platform, the Marine Corps Enterprise Network. Working with the ethical hacker community provides us with a large return on investment to identify and mitigate current critical vulnerabilities, reduce attack surfaces, and minimize future vulnerabilities. It will make us more combat ready,” said Maj.Gen. Matthew Glavy, Commander, U.S. Marine Corps Forces Cyberspace Command.
U.S. Marine Corps
The Hack the Marine Corps bug bounty program supports the Marine Corps’ ongoing commitment to hardening its defensive posture and overall cybersecurity. In March, the Marine Corps announced the creation of a cyberspace career field that provides a professionalized, highly skilled workforce that can effectively employ cyberspace capabilities and effects. These efforts are part of the Corps’ commitment to fighting and winning – in all domains.
Hack the Pentagon
Hack the Marine Corps is part of the Hack the Pentagon crowd-sourced security initiative with the DoD’s Defense Digital Service (DDS) and HackerOne. Recognizing many of the nation’s biggest companies use bug bounties to improve the security and delivery of digital services, DDS launched the federal government’s first bug bounty challenge in collaboration with HackerOne in 2016.
“Information security is a challenge unlike any other for our military. Our adversaries are working to exploit networks and cripple our operations without ever firing a weapon,” said DDS Director Chris Lynch. “Sometimes, the best line of defense is a skilled hacker working together with our men and women in uniform to better secure our systems. We’re excited to see Hack the Pentagon continue to build momentum and bring together nerds who want to make a difference and help protect our nation.”
Since the launch of Hack the Pentagon, more than 5,000 valid vulnerabilities have been reported in government systems. These bug bounty challenges include:
- Hack the Pentagon launched in May 2016 and resulted in 138 valid vulnerabilities resolved and tens of thousands of dollars paid to ethical hackers for their efforts.
- Hack the Army launched in December 2016 and surfaced 118 valid vulnerabilities resolved and paid $100,000 to ethical hackers.
- Hack the Air Force launched in April 2017 and resulted in 207 valid vulnerabilities resolved and more than $130,000 paid to ethical hackers.
- Hack the Air Force 2.0 launched in December 2017 and resulted in 106 valid vulnerabilities resolved and $103,883 paid to hackers.
- Hack the Defense Travel System launched in April 2018 and focused on testing a DoD enterprise system and resulted in 100 security vulnerabilities reported and $80,000 paid to hackers.
After the close of bug bounty challenges, hackers who become aware of vulnerabilities can disclose them to the DoD through its ongoing vulnerability disclosure program with HackerOne. The Defense Department launched its Vulnerability Disclosure Policy in 2016 as part of Hack the Pentagon to provide a legal avenue for security researchers to find and disclose vulnerabilities in any DoD public-facing systems.
“Success in cybersecurity is about harnessing human ingenuity,” said Marten Mickos, CEO at HackerOne. “There is no tool, scanner, or software that detects critical security vulnerabilities faster or more completely than hackers. The Marine Corps, one of the most secure organizations in the world, is the latest government agency to benefit from diverse hacker perspectives to protect Americans on and off the battlefield.”