Skip to main content

What Was It Like To Hack the Pentagon?

  • June 17th , 2016

Click here for our main Hack the Pentagon page

Hack the Pentagon Bug Bounty Program Security Page on HackerOne

What Was It Like To Hack the Pentagon?

The U.S. Federal Government’s first ever bug bounty program, managed by HackerOne, is now complete. Pioneering a bug bounty pilot for the most powerful and largest organization in the world, was unlike any other pilot to date. Here’s a behind the scenes look at Hack The Pentagon from Marten Mickos, CEO, HackerOne.

Within 13 minutes of launching the first U.S. Government commercial bug bounty program we had our first submission. Just six hours later, that number grew to nearly 200. Hack the Pentagon shattered initial expectations for participation and vulnerability report submissions. By its end, more than 1,400 hackers were accepted to the program, and in total 138 valid bugs were resolved in Pentagon’s systems.

The team at the Department of Defense (DoD) understood all along that the more hackers you invite, the more bugs you will find. So they aimed to be as transparent as possible to encourage hacker participation in this first-ever bug bounty. Still this is not a request most organizations make out of the gate. Over 85% of our customers begin their bug bounty pilots behind closed doors and only invite a handful of hackers when they begin. But the Pentagon is used to doing things at large scale.

The Defense Digital Service (DDS), which spearheaded this project for DoD, is responsible for much of this success. The DDS team brings the best processes, talent, and technology from the private sector into the government. Bug bounty programs fit the bill. With strong support from the Secretary of Defense, Ash Carter, DDS is helping to identify new ways to improve the Department's digital security measures.

We kicked off the Federal Government's first ever bug bounty program with a public announcement and invitations to interested U.S. hackers in March. The idea behind these bug bounty programs is to ask friendly hackers to find and report security problems to an organization for a reward -- usually monetary. The power of a bug bounty program lies in the large number of highly skilled hackers looking at your code. Hackers’ reports poured in from 44 states. California was the most active state, with US expat participants based as far away as Japan, Germany, and England. Hack The Pentagon officially launched on 18 April 2016 and ran for 24 days.

What Drives Hackers
There is no standard profile for a hacker; many of our hackers are full-time security professionals or software engineers, others are students or hobbyists. The youngest hacker to receive a bounty from the Pentagon was 14 and the oldest was 53. From the moment news of this program broke until the launch of the program, an average of 65 new U.S. hackers registered each day. Nearly 1,200 of these folks had never participated on HackerOne before, but joined the platform specifically to Hack the Pentagon.

We regularly hear that hackers are driven by the intellectual challenge, rewards, resume building, and improving their skills. This pilot, in particular, highlighted a motivation that is often overlooked: altruism. Time after time, participants shared their desire to contribute to their country’s security. The patriotic upswell took even us at HackerOne by surprise, and played a central role in the program’s success.

138 Vulnerabilities Resolved
The 24 day Hack The Pentagon pilot exceeded expectations with over 138 unique software vulnerabilities resolved, and tens of thousands of dollars awarded to 58 individual hackers. The pilot was designed to test and find vulnerabilities in a subset of department’s many applications, websites, and networks.

A SQL Injection issue was the most severe and earned $3,500; the highest individual bounty. Cross-Site Scripting issues were the most common, as is the case in most bug bounty programs, and Information Disclosure was the second most common. The average bounty was $588 with the top earning hacker making a total of $15,000 on this program.

To commemorate the Hack the Pentagon pilot, a custom Hack the Pentagon challenge coin was made for successful hackers and the team on the DoD side, including Secretary Carter.

A Hacker-filled future
This pilot indicates a major turning point for digital security. Not long ago, an individual or hacker who reported a security vulnerability could find themselves in court for trying to report that bug to a company. Over time, attitudes have shifted significantly. What was a risky hobby is now a viable and enviable career opportunity. Instead of legal gag orders, hackers are receiving invitations from major companies and now, the U.S. Government, to come hack.

No organization is so powerful that it does not need outside help identifying security issues, and this includes the Pentagon. Top companies rely on these bug bounty programs to improve their security, like Google, Facebook, Microsoft, Uber, Github, Twitter, Yahoo, and hundreds more. To be the most powerful, you must be open about your vulnerabilities, seek the help of others, and take corrective action quickly.

The U.S. Government is hardly synonymous with progressive practices and transparency, yet they are out-innovating most companies in the private sector when it comes to digital security with this pilot. Fewer than 7% of the Forbes Global 2000 largest companies in the world have adopted vulnerability disclosure best practices.

There is a huge untapped potential with the independent hacker community if organizations are willing to give them a chance. We stand by the hackers and the innovators at DoD working to bring this more secure future closer every day.

Mårten Mickos
CEO, HackerOne

Recent articles

Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…