WASHINGTON — October 4, 2018 — The U.S. Department of Defense (DoD) announced the results of the Department’s sixth public bug bounty program, Hack the Marine Corps, which ran August 12th through August 31st. Over the twenty-day challenge, hackers reported over 150 unique valid vulnerabilities to the U.S. Marine Corps Forces Cyberspace Command (MARFORCYBER) team and were awarded over $150,000 for their contributions.
The Marine Corps is committed to fighting and winning in all domains and Hack the Marine Corps is a key initiative to ensure we are prepared in the domain of cyberspace. The bug bounty challenge utilized private-sector security firm HackerOne to convene over 100 ethical hackers to test public-facing Marine Corps websites and services in an effort to harden the defenses of the Marine Corps Enterprise Network (MCEN).
Hack the Marine Corps kicked off with a live hacking event in Las Vegas, NV. During the event, expert security researchers worked with the Marines from MARFORCYBER, representing both offensive and defensive cyber teams. Hackers filed 75 unique valid security vulnerability reports during the event and were initially awarded over $80,000 for helping further secure the MCEN, the Marine Corps’ portion of the DoD Information Network (DoDIN).
“Hack the Marine Corps was an incredibly valuable experience. When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal. What we learn from this program assists the Marine Corps in improving our warfighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives. The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities,” said Major General Matthew Glavy, Commander, U.S. Marine Corps Forces Cyberspace Command.
Hack the Marine Corps is part of the Hack the Pentagon crowd-sourced security initiative led by the DoD’s Defense Digital Service (DDS), a team at the Pentagon that utilizes best-in-industry practices to help improve technology across the Department. Recognizing many of the nation’s biggest companies use bug bounties to improve the security and delivery of digital services, DDS launched the federal government’s first bug bounty challenge in 2016.
After the close of bug bounty challenges, hackers who become aware of vulnerabilities can disclose them to the DoD through its ongoing vulnerability disclosure program. The Defense Department launched its Vulnerability Disclosure Policy in 2016 as part of Hack the Pentagon to provide a legal avenue for security researchers to find and disclose vulnerabilities in any DoD public-facing systems. Since the launch of Hack the Pentagon, thousands of valid vulnerabilities have been identified in government systems through bug bounties and the Vulnerability Disclosure Program.