Almost a year after the Pentagon launched the vulnerability disclosure program, the agency received 2,837 credible reports on vulnerabilities from some 650 hackers from 50 countries around the world.
More than 100 detected vulnerabilities were critical or represented a serious threat to the agency’s systems. Problems in almost 40 components of the systems of the US Department of Defense allowed remote execution of the code, SQL injection, and bypass authentication.
Most of the reports were submitted by researchers from the United States, India, Britain, Pakistan, the Philippines, Egypt, Russia, France, Australia and Canada.
The US Defense Ministry’s vulnerability disclosure program does not involve monetary reward – it only provides a channel for reporting security problems without possible legal consequences. However, as part of the Pentagon initiative, several temporary programs were launched that offered monetary rewards. Researchers who participated in these programs earned more than $ 300 thousand for finding in the agency’s systems almost 500 vulnerabilities.
The first such initiative was the Hack the Pentagon program , in which researchers earned about $ 75,000 for 138 vulnerability reports. Further, the agency launched the Hack the Army program, which paid out about $ 100,000 for 118 vulnerabilities and the Hack the Air Force, in which participants found 207 vulnerabilities, earning a total of $ 130 thousand.
After the success of these programs, government organizations and US legislative bodies showed increased interest in reward programs for the vulnerabilities discovered.
The General Services Administration (GSA) launched a vulnerability search program that offers a remuneration of $ 300 to $ 5,000. The US Department of Justice has also developed a mechanism to help organizations launch vulnerability discovery programs.