U.S. Department of Defense Secures the DTS With Help From Hackers on HackerOne
More Than 100 Reported Security Weaknesses, Including Social Engineering, Safely Resolved With Help From Hackers
SAN FRANCISCO-- March 30, 2018 --HackerOne, the leading hacker-powered security platform, today announced the results of Hack the DTS (Defense Travel System), the fifth U.S. Department of Defense bug bounty program. During the 29 day bug bounty challenge hackers filed more than 100 security vulnerability reports and were awarded $80,000 for helping make the DTS more secure. The DTS is a key Department of Defense (DoD) enterprise system relied on by millions of employees for global operations. Registration for the program opened on April 1, 2018 and hacking concluded on April 29, 2018. This was the second time social engineering was permitted within a government bug bounty program.
Hack the DTS is part of the DoD’s Hack the Pentagon crowd-sourced security initiative. Nineteen trusted hackers participated in the DTS bug bounty challenge — reporting 65 valid unique vulnerabilities, 28 of which were high or critical in severity, and earning $78,650 in the process. Successful hackers who participated were primarily from the United States and United Kingdom. The highest single bounty award was $5,000, paid out eight times to individual hackers.
“DTS is relied on by DoD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical,” said Jack Messer, project lead at Defense Manpower Data Center (DMDC). “The ‘Hack the DTS’ challenge helped uncover vulnerabilities we wouldn’t have found otherwise, complementing the great work DMDC is already doing to protect critical enterprise systems and the people those systems serve.”
Since the Hack the Pentagon crowd-sourced security initiative with HackerOne launched in 2016, more than 3,000 vulnerabilities have been resolved in government systems. The first Hack the Pentagon bug bounty challenge ran in May 2016 and resulted in 138 valid vulnerabilities resolved and tens of thousands of dollars paid to ethical hackers for their efforts, and Hack the Army in December 2016 surfaced 118 valid vulnerabilities and paid $100,000. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000 for their contributions. The second Hack the Air Force resulted in 106 valid vulnerabilities surfaced and $103,883 paid to hackers. Hack the DTS is fifth in an ongoing series with Defense Digital Service (DDS), a division of the U.S. Department of Defense, demonstrating continued success through engagement with the ethical hacking community.
“Securing sensitive information for millions of government employees and contractors is no easy task,” said Reina Staley, Chief of Staff and Hack the Pentagon program manager at Defense Digital Service. “No system is infallible, and this assessment was the first time we employed a crowd-sourced approach to improve the security aspect of DTS. We’d like to thank the participating hackers for contributing their time to help us safeguard sensitive information.”