Skip to main content

The Pentagon just paid cash to hackers who found 100+ bugs in its systems

vulnerable pentagon servers the united states department of defense
Image used with permission by copyright holder
Considering the nature of its work, it’s no surprise that the Pentagon is of huge interest to hackers, whether state sponsored or pajama wearing (OK, they could be one and the same).

Keen to beef up its cyber security to keep unwelcome visitors at bay, the Department of Defense (DoD) recently launched its first-ever bug bounty program, aptly named “Hack the Pentagon.”

Recommended Videos

Such schemes are pretty common these days, with companies like Google and Facebook inviting so-called “white hat” hackers – those doing it to help rather than cause havoc – to probe their online systems for vulnerabilities.

Set up by the DoD in partnership with HackerOne, a Silicon Valley firm that offers bug bounty services, Hack the Pentagon drew upon the skills of 1,410 white-hat hackers, with the first vulnerability report filed just 13 minutes after the challenge started.

Running for just under a month up until May 12 and focusing on five of its public-facing websites, the DoD’s program turned up a whopping 138 security vulnerabilities deemed “valid and unique,” officials revealed over the weekend. And yes, they’ve already been closed to prevent future trouble.

As a reward for their work, the defense department shared out a bounty worth around $75,000 among the hackers.

Having found so many vulnerabilities, it’s little surprise that the DoD deemed the exercise a success. And, perhaps startled that so many flaws were surfaced, it’s decided to extend the program. Starting this month, its three-pronged approach will include a “vulnerability disclosure process and policy” for the defense department so anyone with information about security weaknesses in its systems, networks, applications, and websites can submit details “without fear of prosecution.”

It also includes incentives in its acquisition policies to encourage greater transparency among contractors, and finally, it’ll expand the bug bounty programs to other parts of the department.

The Pentagon revealed in 2009 it’d spent more than $100 million in a six-month period dealing with damage caused by “daily” cyber attacks on its networks, with the intrusions carried out by everyone from “the bored teenager all the way up to the sophisticated nation-state, with some pretty criminal elements sandwiched in between,” an official said at the time.

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
This Bing flaw let hackers change search results and steal your files
The new Bing preview screen appears on a Surface Laptop Studio.

A security researcher was recently able to change the top results in Microsoft’s Bing search engine and access any user’s private files, potentially putting millions of users at risk -- and all it took was logging into an unsecured web page.

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users’ private files and data.

Read more
This major Apple bug could let hackers steal your photos and wipe your device
A physical lock placed on a keyboard to represent a locked keyboard.

Apple’s macOS and iOS are often considered to be more secure than their rivals, but that doesn’t make them invulnerable. One security team recently proved that by showing how hackers could exploit Apple’s systems to access your messages, location data, and photos -- and even wipe your device entirely.

The discoveries were published on the blog of security research firm Trellix, and will be of major concern to iOS and macOS users alike, since the vulnerabilities can be exploited on both operating systems. Trellix explains that Apple patched the exploits in macOS 13.2 and iOS 16.3, which were released in January 2023, so you should update your devices as soon as you can.

Read more
Hackers just stole LastPass data, but your passwords are safe
A physical lock placed on a keyboard to represent a locked keyboard.

The developers behind password management software LastPass have just shared some concerning news: Bad actors were recently able to access “elements of our customers’ information” in a recent security breach.

It’s the second time in just a couple of months that LastPass has suffered a security incident, and it appears the two events are directly linked. That’s because LastPass’s developers say that the unauthorized party was able to access customer data “using information obtained in the August 2022 incident.”

Read more