In the recent Hack the Marine Corps competition, a part of the Hack the Pentagon security initiative, ethical hackers uncovered nearly 150 security vulnerabilities, netting more than $151,000 in awards, according to HackerOne. The Marine Corp challenge was the Department of Defense’s sixth bug bounty program, an effort aimed at strengthening the defenses of the Marine Corps Enterprise Network (MCEN).
A live hacking event at this year’s DEF CON 26 in Las Vegas kick-started the Hack the Marines competition, catapulting hackers into action. During the live event, participating hackers sat beside men and women from the U.S. Marine Corps Cyberspace Command (MARFORCYBER).
“I will never forget having a two-star general looking over the shoulder of hackers while they dug deeper into a Marine Corps site with permission and oversight from the Marine Corps team. Experiences like these are incredibly valuable to the organizations and for the hackers who rarely get that type of opportunity to dive deeper,” said Luke Tucker, senior director of community at HackerOne.
The entire challenge spanned 20 days, during which time more than 100 ethical hackers tested public-facing Marine Corps websites and services, yielding nearly 150 unique valid vulnerabilities in MARFORCYBER.
“Hack the Marine Corps was an incredibly valuable experience. When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal,” said Major General Matthew Glavy, Commander, U.S. Marine Corps Forces Cyberspace Command, in a press release.
“What we learn from this program assists the Marine Corps in improving our war-fighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives. The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities.”
The Marines were not the only ones to boast about the benefits and successes of the challenge. A participating hacker, Tanner Emek, said, “It was great having the opportunity to work side by side with the Marines to help secure their assets. These are my favorite types of programs to be a part of, because they allow me to have a massive impact on systems critical to national security.”
Over the past few years, bug bounty programs have grown more commonplace, with global organizations and federal agencies entrusting white hat researchers to find and disclose vulnerabilities before malicious actors do so. “Without the programs, the researchers have the option of disclosing the vulnerabilities to the companies or organizations affected and getting recognition or selling them to a third party and making some money,” said Lamar Bailey, director of security research and development at Tripwire.
“Once a vulnerability is sold to a third party, the original researcher no longer has control of the data and it could be used for nefarious purposes. Several trustworthy companies have opened up generic bounty programs for researchers wanting to do a responsible disclosure and still make a little money. While these are good, nothing beats a good bug bounty program where a company or organization can work one on one with a researcher to solve a security issue.”