Pentagon's hacker disclosure program defangs 2,800 security flaws

[de officiis]

Pentagon's hacker disclosure program defangs 2,800 security flaws

Nearly a year after a rule change allowed good Samaritan hackers to notify the Department of Defense (DOD) about cybersecurity glitches that needed fixing, the Pentagon has mitigated more than 2,800 security problems.

The Pentagon opened its vulnerability disclosure program on November 21, 2016, inviting anyone who came across a security flaw in one of its public-facing websites to report it.

The program came on the heels of last year's "Hack the Pentagon" program, which offered cash rewards for anyone who reported a valid security problem. The vulnerability disclosure program offers no such incentives.

But even without incentives, the vulnerability disclosure program has netted valuable information for the Defense Department. Nearly than 650 hackers from more than 50 countries have submitted security shortcomings to be repaired.

The DOD operates its disclosure program using the firm HackerOne, which also ran the Hack the Pentagon program.

More than 100 of the bugs reported through the program were deemed of high or critical severity, meaning they would allow changes to important data or allow attackers to execute their own commands.

Most responses came from United States-based researchers, but HackerOne released the top nine foreign countries reporting vulnerabilities: India, Great Britain, Pakistan, the Philippines, Egypt, Russia, France, Australia and Canada.

Makes you wonder how many weren't found. Yeesh.

[The Conservative]

Pentagon's hacker disclosure program defangs 2,800 security flaws

Nearly a year after a rule change allowed good Samaritan hackers to notify the Department of Defense (DOD) about cybersecurity glitches that needed fixing, the Pentagon has mitigated more than 2,800 security problems.

The Pentagon opened its vulnerability disclosure program on November 21, 2016, inviting anyone who came across a security flaw in one of its public-facing websites to report it.

The program came on the heels of last year's "Hack the Pentagon" program, which offered cash rewards for anyone who reported a valid security problem. The vulnerability disclosure program offers no such incentives.

But even without incentives, the vulnerability disclosure program has netted valuable information for the Defense Department. Nearly than 650 hackers from more than 50 countries have submitted security shortcomings to be repaired.

The DOD operates its disclosure program using the firm HackerOne, which also ran the Hack the Pentagon program.

More than 100 of the bugs reported through the program were deemed of high or critical severity, meaning they would allow changes to important data or allow attackers to execute their own commands.

Most responses came from United States-based researchers, but HackerOne released the top nine foreign countries reporting vulnerabilities: India, Great Britain, Pakistan, the Philippines, Egypt, Russia, France, Australia and Canada.

Makes you wonder how many weren't found. Yeesh.

What, the security leaks weren't enough of a hint that they weren't found and just exploited?

[SuburbanFarmer]

While it's nice to have things more secured in general... Not sure I'd want to help that particular organization keep better secrets.

[The Conservative]

While it's nice to have things more secured in general... Not sure I'd want to help that particular organization keep better secrets.

Secrets are meant to be kept at that level, there is also meant to be checks and balances, which is way out of whack... so choose your poison.

[SuburbanFarmer]

While it's nice to have things more secured in general... Not sure I'd want to help that particular organization keep better secrets.

Secrets are meant to be kept at that level, there is also meant to be checks and balances, which is way out of whack... so choose your poison.

Well, since the latter is completely broken, I'd say it's more useful to keep the former broken as well.

[The Conservative]

While it's nice to have things more secured in general... Not sure I'd want to help that particular organization keep better secrets.

Secrets are meant to be kept at that level, there is also meant to be checks and balances, which is way out of whack... so choose your poison.

Well, since the latter is completely broken, I'd say it's more useful to keep the former broken as well.

One without the other, both are useless.