The latest edition of the “Hack the Pentagon” bug bounty program uncovered over 100 security vulnerabilities in the Pentagon’s public-facing travel system for department employees, according to results released Thursday by program coordinator HackerOne.
The fifth “Hack the Pentagon” event ran through April during which 19 ethical hackers reported ongoing flaws in the Defense Travel System, including 65 unique vulnerabilities of which 28 were labeled highly severe or critical.
“DTS is relied on by DoD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical,” Jack Messer, project lead for DoD’s Defense Manpower Data Center, said in a statement. “The ‘Hack the DTS’ challenge helped uncover vulnerabilities we wouldn’t have found otherwise, complementing the great work DMDC is already doing to protect critical enterprise systems and the people those systems serve.”
HackerOne’s DoD bug bounty programs have over 3,000 vulnerabilities since May 2016, including 118 valid vulnerabilities in a “Hack the Army” event and 313 over two “Hack the Air Force” programs.
“Securing sensitive information for millions of government employees and contractors is no easy task,” Reina Staley, Hack the Pentagon program manager at DoD’s Defense Digital Service, said in a statement. “No system is infallible, and this assessment was the first time we employed a crowd-sourced approach to improve the security aspect of DTS. We’d like to thank the participating hackers for contributing their time to help us safeguard sensitive information.”
Hackers in the latest bug bounty program received $80,000 in payouts for the DTS vulnerabilities they discovered. Northrop Grumman [NOC] is the prime contractor for DTS.