Hackers discover over 400 vulnerabilities in DoD industrial base companies

The Department of Defense discovers how vulnerable its contractor networks are after completing a year-long bug bounty program.

For a year, hackers surveyed 41 companies and found over 400 vulnerabilities that needed to be mitigated.

“The DoD Cyber ​​Crime Center Vulnerability Disclosure Program has long recognized the benefits of using outsourced ethical hackers to add defense-in-depth protection to DoD information networks,” said Melissa Vice. , Acting Director of the Vulnerability Disclosure Program. “The pilot project aimed to identify whether similar high-severity and critical vulnerabilities existed on cleared and non-cleared small to medium-sized defense industrial base assets with potential risks to critical infrastructure and the supply chain. American supply.

The pilot initially launched with 14 companies and 141 assets and expanded to 41 companies and 348 assets.

The companies voluntarily joined the bug bounty program and agreed to HackerOne, an organization of ethical hackers, to search for vulnerabilities.

The pilot is the DoD’s largest industrial base vulnerability look. This becomes especially important now that the military is concerned about the strength of its supply chain on which the companies it depends on for equipment and services.

For six years, the Department of Defense set a target on itself and purposely told hackers to go after certain systems through bug bounties and hackathons.

Last year, it extended this tactic to all of its publicly accessible defense information systems, including public networks, the Internet of Things, industrial control systems, frequency-based communication and more. .

This growth has signaled the success of using contractors and hackers as a means to improve military cybersecurity.

“The DoD Vulnerability Policy was launched in 2016 because we demonstrated the effectiveness of working with the hacker community and even hiring hackers to find and fix system vulnerabilities,” the former director said. of defense digital service Brett Goldstein last year.

The original program focused on more benign areas of Pentagon networks, such as front-end websites.

During hackathons and bug bounty contests, the DoD offered cash rewards to hackers who could break into their systems. The first-ever bug bounty contest found 138 vulnerabilities.

The first vulnerability report came seven minutes into the contest, and 1,410 professional and hobbyist hackers from 44 states ended up making 1,189 reports of security issues during the three-week program.

The military services and other defense agencies have followed suit by creating their own competitions.

Hackers discovered 54 vulnerabilities in Air Force Cloud One in 2019. The environment uses Amazon Web Services and Microsoft Azure to host the Air Force Portal and more than 100 other applications used daily by Airmen.

Since the inception of bug bounties and hackathons, the DoD has detected over 40,000 vulnerabilities.