Five years after the Defense Digital Service (DDS) launched the first-ever U.S. federal government bug bounty Challenge, we’re pleased to announce the results of Hack the Army 3.0, the third Challenge between DDS and the U.S. Army, and the 11th overall DDS bug bounty Challenge in partnership with HackerOne.
Hack the Army 3.0 kicked off in January 2021 and ran for six weeks. With a total of 11 assets in scope, we saw 40 unique, top-tier security researchers from both military and civilian backgrounds focus their efforts on identifying vulnerabilities within DDS/Army's wide range of scope in two applications. At the end of the engagement, security researchers had identified 238 vulnerabilities, of which 102 vulnerabilities were rated high or critical and designated for immediate remediation. Over $150,000 was awarded to eligible civilian hackers in bounties during Hack the Army 3.0.
This third iteration of Hack the Army is part of the Department of Defense’s (DoD) ongoing commitment to identify and remediate cyber threats that could undermine national security. HackerOne recently sat down with DDS and Army program leaders and one of the security researchers who hacked the Army. We discussed why Hack the Army matters, the results that were uncovered in Hack the Army 3.0, and their plans for the future of cybersecurity within the DoD and the U.S. Military. Read on to see what they had to say.
Tell us a bit about yourself and your role in Hack the Army.
DDS: Hi I’m Maya Kuang, Army Product Manager, Defense Digital Service. I joined DDS and the Hack the Pentagon team upon graduating from West Point. I led many distinct DoD bug bounties and steered other government agencies toward improved vulnerabilities disclosure practices. I am currently working on health readiness efforts in the department. My role in Hack the Army was to create the space for our partners, in this case, HackerOne and ARCYBER/NETCOM, to work on securing our systems, starting from the grassroots of contract creation to final assessment review.
Army: I’m Johann R. Wallace, Compliance Division Chief, Army Network Enterprise Technology Command. I’ve been working for the Army in some capacity since about 2008 and have been in the field of cybersecurity for that entire time, plus a few years prior to. For this event, I was the technical subject-matter expert that acted as an interface, and sometimes a translator, between the researchers and the Army website owners. Working closely with DDS and HackerOne, I would evaluate the reports, verify their criticality, and when resolved, another individual or I would validate the fix actions.
This is your 11th engagement with HackerOne. What drives you to continue to implement these Challenges?
Maya Kuang (DDS): The goal for these challenges is not to create disparate events. Instead, we want to lead our government into the next generation of securing systems by continuously advocating for the continuation and evolution of these challenges. We cannot afford a ‘next time we will do better’ mentality. I strongly believe a proactive approach is critical, which means finding potential problems and addressing them before they are realized.
As you know, there are several types of hacker-powered security programs — some time-bound like Hack the Army 3.0 and some continuous like the DoD VDP. What are the benefits of each and how do you choose the approach that's best for your attack surface?" or something like that.
Maya Kuang (DDS): Both types of approaches serve critical functions. Time-bound bounties give researchers a purposeful timeframe where collaboration can be maximized, whereas a more continuous model builds up the trust between researchers and the government in the long run. Oftentimes, sustainability can be conflated with slow and steady; however, this is not the type of sustainability that should be condoned. In order for more advanced systems to consistently stay secure, the protection models that go along with it should also be advancing.
Hack the Army 3.0 is the third Army engagement with HackerOne. Tell us about the experience.
Johann R. Wallace (Army): As I had anticipated, it was an absolute blast! I’m always interested in learning new techniques and ways to leverage old ones to target our forward-facing assets for weaknesses. It definitely was not a letdown. We had some innovative researchers in this program that made me and a coworker remark on how neat some reports were.
What are some of the successes so far?
Maya Kuang (DDS): What makes these crowdsourced events a success is the diversity within the researcher population. Different methods and thought processes are crucial when we simulate what real adversaries would do. This is the first engagement where we had 50 military researchers register to participate with several valid findings submitted. This is especially exciting because this is what I envision future success looking like: both external and internal-to-department researchers working toward the same goal and also the military providing space for internal talent to develop their skill sets.
Johann R. Wallace (Army): It’s always interesting to see what vulnerabilities and weaknesses are hiding in plain sight. Hack the Army does a tremendous job of exposing content and coding errors that our normal compliance-based scanning had overlooked. Just because a system is patched doesn’t mean that it’s secure, and an engagement like Hack the Army allows us to leverage additional subject-matter expertise to look at more assets faster than we do with our internal vulnerability assessment teams alone. As we like to tell our users: “Someone is going to pentest your servers – better to have it be someone we’re paying.”
The scope of Hack the Army 3.0 covered a range of army.mil and westpoint.edu applications. In what ways did having a broad scope help surface more vulnerabilities?
Maya Kuang (DDS): A broader scope gives researchers the opportunity to find various vulnerability types and also perform similar tests on multiple assets. This in turn helps us find out if there are systemic vulnerabilities that should be addressed throughout multiple sites within an organization.
Over three Hack the Army Challenges, ~500 valid vulnerabilities were identified and nearly half of those 500 were identified in the third Challenge. What does this tell you?
Maya Kuang (DDS): The increase in vulnerabilities found can be seen as an increase in testing surface. There are two major factors in play. One factor is that the hacker community is pushing the boundaries of what we know in cybersecurity on every engagement and do not hesitate to test out different processes. The other factor on our side when we work with internal partners is the increased understanding of the vetted, crowdsourced testing model and the receptiveness toward it.
After a bug is submitted, how do you ensure identified issues are properly fixed and verified?
Johann R. Wallace (Army): This was a responsibility that I took on, and it fell within my role as the technical subject-matter expert to address. We pulled in technical contacts related to the sites in-scope that facilitated a much quicker find, validate, fix, confirm, close workflow. As HackerOne’s team triaged the reports, we addressed any questions or concerns about them, and they were given to the appropriate action officer to run down the fix. Once I was notified that a fix was in place, another individual or I would confirm those fixes by recreating the attack scenario/exploit. The results would drive closure of the report, direction to try again, or a site block.
What does success look like in the future for the U.S. Army’s cybersecurity?
Johann R. Wallace (Army): Depends on who you ask. Cybersecurity is a broad term that covers a lot. If we’re talking specifically about events like this, then I would say a continuation of them. Automated tools can never replace the effectiveness of the human mind, our ability to adapt, and the special skillset it takes to follow the white rabbit. Success means prevention through education, not knowledge through reaction.
What do you expect to see as a long-term benefit from the Hack the X program?
Maya Kuang (DDS): I think Hack the X is a way of thinking. It isn’t only about the testing process and it isn’t only about the bounties. Ultimately, it is about bringing innovative practices into the public sector. That is the advantage. Getting specific individuals on board is only the first step, but getting whole organizations on board is the goal. So when you take out, for instance, me, the current Hack the Pentagon team, or Johann and Hack the X is still chugging along, that is long-term success.
Who are the hackers hacking the Army?
Johann R. Wallace (Army): During the Challenge, we hand-selected top security researchers from HackerOne’s Clear program, which meant everyone hacking the Army is required to clear a background check prior to accessing our targets. For the first time, we also invited military personnel to participate in the Hack the Army challenge, with seven joining in the end. We’re proud to work with our military and civilian hackers, who bring with them diverse subject matter expertise and background experience and are a key factor in assuring the ongoing security of our assets.
Speaking of who hacked the Army...we’d like to turn the interview over to @cdl, Hack the Army 3.0’s top program hacker. @cdl helped us identify several potential risks, including XSS and SSRF weaknesses, ultimately providing an important layer of security across the attack surface for Army assets.
Tell us who you are.
My name is Corben Leo and I go by cdl on the HackerOne platform. I’m a 21-year old from a suburb of Minneapolis, MN that is studying computer science at Dakota State University.
How long have you been hacking in the cybersecurity industry?
I first got into cybersecurity as a freshman in high school, and I had no idea that cybersecurity was an industry. When I heard about bug bounties my junior year (~2016) of high school, I joined HackerOne and have been doing bug bounties for about five years now.
Was this your first time hacking on a DoD or military program? Why do you feel it’s important or valuable to hack on military programs?
It is not! I spent a significant amount of time hacking on the Department of Defense VDP when I first signed up to HackerOne and it was actually how I first started to learn how to apply my skills. Furthermore, I participated in Hack the Army 2.0 last year and placed first! I come back to DoD programs when I need to test new tooling or methodologies. It is great for these purposes due to their large scope and their utilization of many different technologies. Hacking on the military programs provides great experience for security professionals who want to hone their skills. Furthermore, you’re also helping them become more secure.
What do you enjoy about hacking the Army? What keeps you motivated to hack on this program?
I enjoy how large the scope is and how responsive the team is. Furthermore, I feel like I can make a difference and improve the security of our military.
Without giving away scope that isn’t public, how did you approach the target?
First, I find subdomains with subfinder, then I resolve the subdomains with a DNS resolver like massdns. Next, I probe for webservers and from there I fingerprint all of them. After that, I prioritize the servers running technologies I’m very familiar with. Next, I spider the website, I use getallurls (gau) to find interesting pages, ffuf to find more content, and I just use the website normally and capture traffic with Burp Suite. From there, I play with endpoints I find are interesting and usually find vulnerabilities. Furthermore, I also hunt for infrastructure misconfigurations. So, primarily, the information I seek is – what military applications are on the public internet and what technologies are these applications running? What content do they have, and how can I abuse that content to do something “evil”.
What should other government agencies evaluating a hacker-powered security program glean from this latest Hack the Army Challenge?
There is always room for improvement, there will always be vulnerabilities, and you might not be as secure as you may think :) Be proactive about it!
Anything else you’d share about hacking the Army?
It was another great experience and I’m thankful I was able to participate.
For more information about how you can achieve the benefits of a bug bounty program, visit hackerone.com/product/bounty.