Hack the Marine Corps Bug Bounty Challenge Concludes, Nearly 150 Security Vulnerabilities Surfaced and $151,542 Awarded to Hackers

The U.S. Department of Defense (DoD) and HackerOne, the leading hacker-powered security platform, today announced the results of the DoD’s sixth public bug bounty program. The Marine Corps is committed to fighting and winning in all domains, including cybersecurity, and Hack the Marine Corps is a key initiative of this campaign. The bug bounty challenge invited over 100 ethical hackers to test public-facing Marine Corps websites and services in an effort to harden the defenses of the Marine Corps Enterprise Network (MCEN). Over the 20 days, hackers reported nearly 150 unique valid vulnerabilities to the U.S. Marine Corps Cyberspace Command (MARFORCYBER) team and were awarded over $150,000 for their contributions.

Hack the Marine Corps kicked off with a live hacking event in Las Vegas, NV. on August 12, 2018 during DEF CON 26. During the event, expert security researchers were shoulder-to-shoulder with the Marines from MARFORCYBER. Hackers filed 75 unique valid security vulnerability reports during the event and were initially awarded over $80,000 for helping further secure the MCEN, the Marine Corps’ portion of the DoD Information Network (DoDIN). Photos of the event can be found here.

“Hack the Marine Corps was an incredibly valuable experience. When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal. What we learn from this program assists the Marine Corps in improving our warfighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives. The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities,” said Major General Matthew Glavy, Commander, U.S. Marine Corps Forces Cyberspace Command.

“It was great having the opportunity to work side-by-side with the Marines to help secure their assets,” said Tanner Emek, one of the participating hackers. “These are my favorite types of programs to be a part of, because they allow me to have a massive impact on systems critical to national security.”

Hack the Marine Corps is part of the Hack the Pentagon crowd-sourced security initiative with the DoD’s Defense Digital Service (DDS) and HackerOne. HackerOne was hand selected by the DoD to run the first Hack the Pentagon program in 2016, and more than 800 valid vulnerabilities have been reported through the Hack the Pentagon bug bounty program on public-facing assets.

The hacking does not end when the challenge concludes. Any hackers who become aware of vulnerabilities in any DoD assets can safely disclose them to the DoD through its ongoing vulnerability disclosure program (VDP) with HackerOne. The Defense Department launched its VDP in 2016 as part of Hack the Pentagon to provide a legal avenue for security researchers to find and disclose vulnerabilities in any DoD public-facing systems. More than 5,000 valid vulnerabilities have been reported in government systems through the vulnerability disclosure program since its launch.

Defense Digital Service

The Defense Digital Service is a team of top tech talent on a tour of duty at the Pentagon to improve technology across the Department. DDS applies industry best practices to high-impact national security missions and tackles some of DoD’s most complex IT challenges. Projects include reforming digital services that provide military families access to critical benefits, developing drone detection technologies, hunting adversaries on DoD networks, and redesigning training for cyber soldiers. DDS is an agency team of the U.S. Digital Service. The DDS Director reports directly to the Secretary of Defense.

About HackerOne

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. The U.S. Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the CERT Coordination Center and over 1,000 other organizations have partnered with HackerOne to resolve over 80,000 vulnerabilities and award over $35M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, and Singapore.

For a comprehensive look at the industry based on the largest repository of hacker reported vulnerability data, download the The Hacker-Powered Security Report 2018.