Hack the Marine Corps results are in!

Hackers work alongside Marines to discover and disclose nearly 150 vulnerabilities

We know that adversaries are continually working to exploit our networks and cripple critical operations. They don’t hold back — and in order to fight and win in all domains, neither can we. That’s why last month we launched Hack the Marine Corps, the Defense Department’s sixth public bug bounty challenge. We partnered with private-sector security firm HackerOne and the U.S. Marine Corps Cyberspace Command (MARFORCYBER) to deploy over one-hundred of the world’s top ethical hackers on the U.S. Marine Corps public-facing websites and services.

Ethical hackers collaborate with Marines to spotlight findings during the challenge. Photo credit: HackerOne.

The challenge kicked off last month in Las Vegas — coinciding with the world’s largest hacker and security conferences, Black Hat USA, DEF CON and BSides — as leading security researchers and Marines convened for ten hours of live-hacking. The hackers and Marines had one shared goal: better securing U.S. Marine Corps digital assets. Once the launch event concluded, participants were able to continue to hack away over the next twenty days while U.S. Marine personnel worked diligently to rapidly respond to and remediate bugs.

And, the results are in!

Hack the Marine Corps by the Numbers

  • Hack the Marine Corps engaged 105 registered and vetted hackers from across the globe.
  • The challenge focused on roughly 200 public-facing websites.
  • Over 150 valid vulnerabilities were discovered and reported.
  • Hackers who submitted valid vulnerabilities received a total of $151,542 for these findings.
  • During the launch event, hackers filed 75 unique valid security vulnerability reports and were initially awarded over $80,000.
  • The top performing researcher took home a collective $26,900 for identifying multiple vulnerabilities.
  • While contracts for security assessments can cost millions of dollars and take many months to run, the total cost for the Hack the Marine Corps challenge was $350,000.
  • This is the Department of Defense’s eleventh bug bounty program and its sixth bug bounty focused on public-facing assets.
  • Since the launch of Hack the Pentagon in 2016, nearly 1,000 valid vulnerabilities have been reported through our bug bounty challenges.
Photo credit: HackerOne.
“It was an honor to work on the Marine Corps program. This opportunity to help improve the security of the armed forces was not only fun, but it made me feel proud to give back. Working alongside the Marine Corps in-person felt like we were all on the same team.” — Nathanial Lattimer, ethical hacker participant & security engineer at Dropbox

Like other Defense Department bug bounties, the range of reported vulnerabilities identified through Hack the Marine Corps have varying degrees of potential impact. For instance, they can include inadvertent system-related information disclosure, improper access to personally identifiable information, the ability to access or edit public-facing sites without proper permissions, or security gaps that could allow malicious attacks.

One of the most interesting findings during the Hack the Marine Corps challenge was when a group of three hackers were able to access certain records related to Marine Corps personnel. The three hackers split one of the single largest payouts of the event: $10,000.

Photo credit: HackerOne
“During Hack the Marine Force, security researchers from all around the world effectively worked together to help secure the U.S. Department of Defense. — Inti de Ceukelaire, ethical hacker participant & creative developer, Belgium
DDS Chief Information Security Officer Alex Romero and Major General Matthew Glavy review hacker reports.
“Hack the Marine Corps was an incredibly valuable experience. When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal. What we learn from this program assists the Marine Corps in improving our warfighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives. The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities,”
— Major General Matthew Glavy, Commander, U.S. Marine Corps Forces Cyberspace Command.

At the Defense Department, people are our greatest asset. It is our responsibility to ensure they are continually safeguarded and supported. Challenges like Hack the Marine Corps help the Department to identify and fix bugs before they can be exploited, and to minimize future vulnerabilities.

Hack the Pentagon Program Manager Reina Staley and DDS team member Jack Cable monitor results.

Hack the Pentagon

Hack the Marine Corps is part of our Hack the Pentagon crowd-sourced security initiative. Recognizing many of the nation’s biggest companies use bug bounties to improve the security and delivery of digital services, the Defense Digital Service launched the federal government’s first bug bounty challenge in 2016, proving hackers and hoodies have an important role to play in supporting national defense.

Since the launch of Hack the Pentagon, we’ve led bug bounties to hack the Army, the Air Force — twice, the Defense Travel System, and other internal DoD systems. Other public bug bounty challenges include:

  • Hack the Pentagon launched in May 2016 and resulted in over 130 valid vulnerabilities resolved and tens of thousands of dollars paid to ethical hackers.
  • Hack the Army launched in December 2016 and surfaced over 115 valid vulnerabilities resolved and paid $100,000 to hackers.
  • Hack the Air Force launched in April 2017 and resulted in over 200 valid vulnerabilities resolved and more than $130,000 paid to hackers.
  • Hack the Air Force 2.0 launched in December 2017 and resulted in over 100 valid vulnerabilities resolved and $103,883 paid to hackers.
  • Hack the Defense Travel System launched in April 2018 and focused on testing a DoD enterprise system and resulted in 100 security vulnerabilities reported and $80,000 paid to hackers.

As part of Hack the Pentagon, the Defense Department launched its Vulnerability Disclosure Policy in 2016 to provide a legal avenue for security researchers to find and disclose vulnerabilities in any DoD public-facing systems. After the close of bug bounty challenges, hackers who become aware of vulnerabilities can disclose them to the DoD through its ongoing vulnerability disclosure program. Thousands of valid vulnerabilities have since been reported through our Hack the Pentagon crowdsourced security initiative.

Turning to the global ethical hacker community allows us to tap into new perspectives and ways of thinking to boost national security and hunt for vulnerabilities. We’re excited to see Hack the Pentagon continue to build momentum and bring together ethical hackers who want to make a difference and help protect our nation. Thank you to the U.S. Marine Corps and the hackers who joined us from all over the globe!

Stay tuned as we continue working to bring in the best talent, technology, and approaches from the private sector to help transform government IT and better protect our country.

“It was great having the opportunity to work side by side with the Marines to help secure their assets. These are my favorite types of programs to be a part of, because they allow me to have a massive impact on systems critical to national security.” — Tanner Emek, ethical hacker participant & full time bug bounty hunter

Join Us!

Interested in proving hoodies, hackers, and nerds have an important role to play in furthering national defense missions? We’ve built a team at the Pentagon of top technical talent to transform how the Defense Department builds and delivers digital services and products for the three million civilian and military employees in the U.S. and around the world.

After winning the Hack the Air Force challenge, renowned ethical hacker Jack Cable was recruited by and
joined DDS for a tour of duty this summer. 18-year old Cable helped to support the Hack the Marine Corps
Challenge, lending his unique, hacker security skills and perspective towards the planning of the challenge. Jack provides an overview to Hackers at the launch event of the challenge scope. Photo credit: HackerOne.

Learn about opportunities to work with us to improve government technology. DDS is an agency branch of the U.S. Digital Service.