Marines get into the bug-bounty game

The Department of Defense continues to spearhead bug bounty programs to improve cybersecurity posture within the federal government.

On Aug. 12, the DOD and HackerOne  launched the latest iteration of the Hack the Pentagon program, Hack the Marine Corps. The bug bounty program focuses on the Corps’ public-facing websites and services to "harden the defenses of the Marine Corps Enterprise Network,” according to an Aug.13 statement released by the Defense Digital Service. MCEN is the Marine Corps’ portion of the DOD Information Network and a vital part of the branch’s warfighting platform, according to Marine Corps Communication Strategy & Operations Officer Capt. Christopher Harrison.

The program launched in Las Vegas with a nine-hour live-hacking event during which ethical-hackers from around the world probed public-facing websites and services, hunting for vulnerabilities. The team of almost 100 hackers was selected based on their performance in government programs and live-hacking events and their experience with the HackerOne platform, HackerOne CEO Marten Mickos told GCN. The hackers identified and reported 75 unique vulnerabilities and were awarded over $80,000 for their efforts.

Hack the Marine Corps is part of an ongoing DOD initiative to solidify “its defensive posture and overall cybersecurity,” according to DDS officials.

“No matter how strong, skilled or well-funded an organization is, there is no substitute for the value of external unbiased researchers looking for vulnerabilities," Mickos said. "Together, hackers and the Marines are protecting American citizens.”

The DDS is the force behind the initiative and since 2016 has conducted the Hack the Army, Hack the Air Force, Hack the Air Force 2.0, and Hack the Defense Travel System bug bounty programs. These efforts have helped uncover over 5,000 cyber vulnerabilities, and participating security researchers have racked up over $400,000 in awards.

“Working with the ethical hacker community provides us with a large return on investment to identify and mitigate current critical vulnerabilities, reduce attack surfaces, and minimize future vulnerabilities,” Marine Forces Cyberspace Commander Maj. Gen. Matthew Glavy said.

Other federal agencies also have conducted bug bounty programs, including 18F's hackathon for the Technology Transformation Service. The Department of Homeland Security and the State Department have proposed similar programs.

"Sometimes, the best line of defense is a skilled hacker working together with our men and women in uniform to better secure our systems,” DDS Director Chris Lynch said. “We're excited to see Hack the Pentagon continue to build momentum and bring together nerds who want to make a difference and help protect our nation.”