Preliminary Results Indicate ‘Hack the Army’ a Success


One of the main firms associated with the Hack the Army effort released the results of the service’s first bug bounty program.

In a blog post published Jan. 19, HackerOne said from Nov. 30 to Dec. 21:

  • 371 eligible participants registered.
  • 416 total reports were received.
  • 118 total valid reports were received
  • It took five minutes to receive the first vulnerability report.

HackerOne touted the preliminary results posted on their website as a success. Twenty-five of the 371 eligible and invited were government employees including 17 military personnel — a difference in the original Hack the Pentagon initiative.

An estimated $100,000 in bounties was paid to hackers.

HackerOne said the most significant vulnerability discovered was a series of chained vulnerabilities in which a researcher could move from the public-facing to an internal Department of Defense website requiring special credentials.

HackerOne also promised more to come from this effort.

Like the Defense Digital Service — a Silicon Valley-modeled node within the Pentagon focused on difficult problems, such as Hack the Pentagon — the Army and Air Force have stood up their own iteration.