Hack the Marine Corps Nets 150 Computer Bugs and $150,000 in Rewards

Ethical hackers uncovered nearly 150 digital vulnerabilities in U.S. Marine Corps websites and took home $150,000 in cash rewards during the military’s sixth public bug bounty challenge, the company that managed the bounty announced Wednesday.

A pair of hackers split one $10,000 reward, which is among the highest payouts yet for the military’s bug bounty programs, according to a blog post from the company HackerOne. The record payout for a single vulnerability report so far was $12,500 during the Air Force’s second bug bounty contest.

The Hack the Marine Corps challenge kicked off with a live demonstration during the DEF CON hacking convention in August in Las Vegas.

Bug bounties are contests that offer cash rewards to ethical hackers who suss out computer vulnerabilities that nefarious hackers might exploit in an organization’s websites and computer systems.

The military has run six public bug bounties during the past two years that have produced more than 800 valid vulnerability reports and more than $500,000 in payouts, HackerOne said.

Previous contests have focused on Pentagon headquarters, the Army, the Defense Department’s travel system and two at the Air Force.

Bug bounties have been slower to take root in the civilian government. The General Services Administration’s tech startup division, the Technology Transformation Service, has launched a bug bounty. Two bills moving through Congress would mandate bounties at the Homeland Security and State Departments, though neither has become law yet.

Bounty organizers have warned that organizations shouldn’t launch a bug bounty unless they’re already quickly patching vulnerabilities that are publicly reported and have the resources to respond to a high volume of bug reports.  

Those organizers typically urge all organizations to launch vulnerability disclosure programs, which give ethical hackers clear guidance for how to report vulnerabilities they find but don’t offer cash rewards.