jwang@hackerone.com

Hackers Awarded More Than $275,000 for Surfacing Over 145 Security Vulnerabilities in Second ‘Hack the Army’ Challenge with HackerOne

Fifty-two hackers participated in ninth U.S. Department of Defense bug bounty program

SAN FRANCISCO — January 15, 2020 — Through partnership with the Defense Digital Service, the U.S. Department of Defense (DoD) and HackerOne, the number one hacker-powered pentesting and bug bounty platform, today announced the results of the second Army bug bounty program, ‘Hack the Army 2.0’. The bug bounty challenge ran from October 9, 2019 to November 15, 2019 with more than 60 publicly accessible web assets, including *.army.mil, *.goarmy.mil, and the Arlington Cemetery website for the first time.

Bug bounties are monetary awards paid to white hat hackers for reporting valid security flaws within a defined scope that could lead to security breaches in the future. By disclosing these vulnerabilities to security teams, white hat hackers help companies secure digital assets and prevent attacks from criminals. This crowdsourced feedback loop helps organizations boost and scale security through trust and collaboration.

Fifty-two trusted hackers participated in the Hack the Army 2.0 bug bounty challenge, reporting 146 valid vulnerabilities over the course of five-weeks. Hackers from the U.S., Canada, Romania, Portugal, Netherlands, and Germany, participated, with the first vulnerability being reported within four hours of the program launching. The U.S. Army awarded over $275,000 to hackers for their efforts, with the highest single monetary award or “bounty” being $20,000.

“Participation from hackers is key in helping the Department of Defense boost its security practices beyond basic compliance checklists to get to real security,”  said Alex Romero, Digital Service Expert at Department of Defense Defense Digital Service. “With each Hack the Army challenge, our team has strengthened its security posture.”

“The partnership with DDS demonstrates a fun and creative way to safely find solutions, so we look forward to building on this relationship to create future events” said a US Army Cyber Command spokesperson.

On November 20, the challenge culminated in an awards ceremony in Augusta, Georgia where the top three hackers — @alyssa_herrera, @erbbysam, and @cdl — were rewarded for their contributions. In addition to the presentation of awards, the event included a panel where the hackers shared their experience in the program and educational breakout sessions with the Department of Defense cyberdefense teams. 

"The Department of Defense programs are some of my favorites to hack on, and Hack the Army 2.0 was one of the most rewarding,” said second place winner @alyssa_herrera. “It is so exciting to know that the vulnerabilities I find go towards strengthening Army defenses to protect millions of people. Coming in second place and being invited to spend time with the hackers and soldiers I worked alongside made the impact we made in this Challenge feel even bigger."

This was the ninth bug bounty initiative HackerOne has run with the DoD and the second challenge run with the U.S. Army. The first Hack the Army challenge resulted in 118 unique and valid vulnerabilities, with the first being reported within five minutes of program launch. $100,000 was awarded to hackers for their findings. Nearly 400 hackers from around the world participated in this challenge, including government employees and military personnel. 

For more information on the previous Hack the Army program and results please visit: https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In.