Pentagon’s Bug Bounty Program Identifies Defense Travel System Vulnerabilities

Pentagon’s Bug Bounty Program Identifies Defense Travel System Vulnerabilities

Military leaders pay white hat hackers $3,000 to identify bugs

Pentagon leaders again reached out to white hat hackers and asked them to identify possible vulnerabilities and bugs for the system used to book travel for service members across the Defense Department.

The Defense Travel System is a travel management system for members throughout the Defense Department. “DTS is relied on by DOD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical,” Jack Messer, the project lead for the Defense Manpower Data Center, said in a press release.

This is the latest iteration of the Hack the Pentagon program the military introduced in 2016. Hack the DTS resulted in hackers identifying 65 vulnerabilities – 29 of which were labeled as critical.

The Defense Department has handed out about $300,000 in bug bounties to hackers who have found vulnerabilities since the Hack the Pentagon pilot. In order to execute these hackathons, the military has partnered with bug bounty programs like HackerOne as a way for hackers to target and point out vulnerabilities in their cyber security system.

For each bug/vulnerability found, the Defense Department pays the hackers. Pentagon leaders have credited the program with saving the military millions by identifying vulnerabilities in their IT systems early. The program has found and repaired 3,000 different bugs and vulnerabilities thus far.

Following the success of the Hack the Pentagon, the Defense Department expanded their cybersecurity initiative to the military services. Hack the Airforce, Hack the Army, and, now, Hack the DTS have all been launched.

Hack the Pentagon was a bug bounty program created by the department of defense in early 2016 as a way to use white hat hackers to point out vulnerabilities and bugs of Internet-facing informational technology. The program was run by then Secretary of Defense Ash Carter, worked alongside HackerOne to resolve a total of 2,837 reports.

"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” said former Defense Secretary Ash Carter in a speech, upon the pilot program’s release in 2016.

Hack the DHS Next

Bug bounty programs will soon make the transition to the Department of Homeland Security. Congress recently passed the Hack the Department of Homeland Security Act on April 17. The legislation outlines and funds a bug bounty program for DHS similar to the military bug bounties.

In fact, DHS will consult the military on its Hack the Pentagon program to see how the bug bounties were set up. Congress has asked DHS to issue a report six months after completing the pilot program to monitor the agency’s results.