Hackers Find 65 Bugs in the Pentagon’s Travel Management System


The Defense Department’s fifth bug bounty awards $80,000 for spotting security holes in a travel system used by millions of the agency’s employees.

Ethical hackers exposed more than 60 cybersecurity holes in an enterprise system used by millions of Defense Department employees to organize travel plans.

The vulnerabilities within the Defense Travel System were uncovered during the Pentagon’s fifth bug bounty program, Hack the DTS, which ran from April 1 to April 29.

The 19 participants won nearly $80,000 in bounties after spotting 65 unique bugs, 28 of which were deemed highly severe or critical. This included eight vulnerabilities worth $5,000 a piece.

“Securing sensitive information for millions of government employees and contractors is no easy task,” said Reina Staley, chief of staff and co-founder of the Defense Digital Service, in a statement. “No system is infallible, and this assessment was the first time we employed a crowd-sourced approach to improve the security aspect of DTS.”

Defense employees use DTS to authorize, reserve and receive reimbursements for work-related travel. The system processes more than 25,000 transactions every day.

The contest, run by the cybersecurity platform HackerOne, was open to citizens of the so-called “Five Eyes” countries—Australia, Canada, New Zealand, the United Kingdom and United States—which often work together on cybersecurity initiatives. It came as part of a larger partnership between the Pentagon and HackerOne to crowdsource cybersecurity testing.

Bug bounty programs recruit ethical or white-hat hackers to find security holes within an organization’s computer networks. Vulnerabilities can range from low-risk flaws to major problems capable of corrupting the entire network or exposing sensitive information, and participants are usually awarded cash prizes based on the severity of the bugs they find.

Since 2016, bug bounty programs at the Pentagon, Army and Air Force have uncovered more than 3,000 vulnerabilities in critical agency websites and IT systems. The contests not only help the agency shore up infrastructure against outside threats but can also be a boon for hackers, with more than $380,000 in bounties awarded so far.