Hackers Target Marines for Pentagon's Latest Bug Bounty

The Defense Department on Sunday invited some 100 handpicked hackers to hunt for security holes in the Marine Corps’ primary communications network, kicking off the Pentagon’s sixth bug bounty program.

The challenge, dubbed “Hack the Marine Corps,” began with a live-hacking event in Las Vegas, where hackers from around the world gathered last week for the Black Hat USA, DefCon and BSides Las Vegas cybersecurity conferences.

During the nine-hour event, participants found 75 vulnerabilities in the public-facing components of the Marine Corps Enterprise Network, the slice of the DOD Information Network the branch uses to manage operations at home and on the battlefield. The bugs they uncovered were worth a combined $80,000 in bounties.

The contest, hosted by cybersecurity research platform HackerOne, will continue through August 26.

Bug bounty programs recruit ethical or white-hat hackers to locate and disclose security holes within an organization’s computer networks, which can range from low-risk flaws to problems capable of corrupting the entire network or exposing sensitive information. Participants are awarded differently sized cash prizes, or bounties, based on the severity of the issues they discover.

“Working with the ethical hacker community provides us with a large return on investment to identify and mitigate current critical vulnerabilities, reduce attack surfaces and minimize future vulnerabilities,” said Maj. Gen. Matthew Glavy, who leads the Marine Corps Forces Cyberspace Command. “It will make us more combat ready.”

Bug bounty programs offer organizations a way to bolster cybersecurity without breaking the bank, and they’ve become much in vogue within the Pentagon in recent years.

Hack the Marine Corps comes as the latest iteration of the department’s efforts to crowdsource cybersecurity—similar programs have uncovered more than 5,000 vulnerabilities within Army, Air Force and Pentagon-wide systems and paid out some $500,000 in bounties. In 2016, the department implemented a vulnerability disclosure policy that gives ethical hackers an avenue for alerting the Pentagon to bugs without facing legal repercussions.

However, many security researchers don’t buy the hype surrounding bug bounty programs, arguing the government should build a more robust internal cybersecurity workforce instead of outsourcing that responsibility to the hacker community.

“[Those agencies] don’t need outsiders pointing out more bugs in exchange for cash if the problem is keeping up with the volume of bug issues they already know about,” Katie Moussouris, a former chief policy officer with HackerOne, told Nextgov in April.