Pentagon’s Bug Bounty Program Identifies Defense Travel System Vulnerabilities

Pentagon’s Bug Bounty Program Identifies Defense Travel System Vulnerabilities

Military leaders pay white hat hackers $3,000 to identify bugs

ntagon leaders again reached out to white hat hackers and asked them to identify possible vulnerabilities and bugs for the system used to book travel for service members across the Defense Department.

DOD travelers rely on the Defense Travel System, whose security "is mission-critical,” Jack Messer, the project lead for the Defense Manpower Data Center, said in a press release.

This is the latest iteration of the Hack the Pentagon program the military introduced in 2016. Hack the DTS resulted in hackers identifying 65 vulnerabilities 29 of which were labeled as critical.

DOD has handed out about $300,000 in bug bounties to hackers who have found vulnerabilities since the Hack the Pentagon pilot. To execute these hackathons, the military has partnered with bug bounty programs like HackerOne as a way for hackers to target and point out vulnerabilities in its cybersecurity system.

These white hat hackers get paid by DOD for each vulnerability found. Pentagon leaders have credited the program with saving the military millions of dollars by identifying bugs in their IT systems early. The program has found and repaired 3,000 different flaws thus far.

Following the success of the Hack the Pentagon, DOD expanded its cybersecurity initiative to the military services. Hack the Airforce, Hack the Army, and now, Hack the DTS have all been launched.

Hack the Pentagon was a bug bounty program created by DOD in early 2016 as a way to use white hat hackers to point out IT vulnerabilities. The program was run by then-Secretary of Defense Ash Carter.

"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” Carter said in a speech, upon the pilot program’s release in 2016.

Hack the DHS Next

Bug bounty programs will soon make the transition to the Homeland Security Department. Congress passed the Hack the Department of Homeland Security Act on April 17. The legislation outlines and funds a bug bounty program for DHS similar to the military bug bounties.

In fact, DHS will consult the military on its Hack the Pentagon program to see how the bug bounties were set up. Congress has asked DHS to issue a report six months after completing the pilot program to monitor the agency’s results.