Pentagon’s hacker disclosure program defangs 2,800 security flaws

Nearly a year after a rule change allowed good Samaritan hackers to notify the Department of Defense (DOD) about cybersecurity glitches that needed fixing, the Pentagon has mitigated more than 2,800 security problems. 

The Pentagon opened its vulnerability disclosure program on November 21, 2016, inviting anyone who came across a security flaw in one of its public-facing websites to report it.

The program came on the heels of last year’s “Hack the Pentagon” program, which offered cash rewards for anyone who reported a valid security problem. The vulnerability disclosure program offers no such incentives.

{mosads}

But even without incentives, the vulnerability disclosure program has netted valuable information for the Defense Department. Nearly than 650 hackers from more than 50 countries have submitted security shortcomings to be repaired.

The DOD operates its disclosure program using the firm HackerOne, which also ran the Hack the Pentagon program. 

More than 100 of the bugs reported through the program were deemed of high or critical severity, meaning they would allow changes to important data or allow attackers to execute their own commands.

Most responses came from United States-based researchers, but HackerOne released the top nine foreign countries reporting vulnerabilities: India, Great Britain, Pakistan, the Philippines, Egypt, Russia, France, Australia and Canada.

– This report was updated at 1:42 p.m.