Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

'Hack the Army' Program Nets 118 Bugs

posted by n1 on Friday January 27, @09:19AM   Printer-friendly
from the cheaper-than-hiring-people dept.
Security Code

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The four-week Hack the Army scheme generated 416 vulnerability reports (nearly 30 percent of which are unique and actionable) and approximately $100,000 for security researchers and bug hunters.

The most significant flaw—as reported by HackerOne, a security consulting firm under contract with the Pentagon—was uncovered due to a series of chained vulnerabilities that unwittingly took a hacker from the public-facing goarmy.com site to an internal Department of Defense page usually requiring special credentials to access.

"On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious," HackerOne explained.

The Army remediation team and Army Cyber Protection Brigade stepped in to patch the hole.

Source: PCMag.com

Original Submission


«  James Comey to Remain Director of the FBI | Human-Pig 'Chimera Embryos' Detailed  »
'Hack the Army' Program Nets 118 Bugs | Log In/Create an Account | Top | 1 comments | Search Discussion
Display Options Threshold/Breakthrough:

Reply to Article
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • HackerOne (Score:2)

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Friday January 27, @10:22AM (#459407) Homepage
    HackerOne are not "a security consulting firm under contract with the Pentagon". They are a go-between between independent hackers/bodgers and companies who want to give out bounties for bug reports and fixes.

    And I don't hold them in very high regard, as all we've got from them is that "your webshop has some information leak vulnerabilities". We don't use the webshop, haven't done for about 3 years (yeah, we should turn it off really, it doesn't sell anything), and - and this is the killer - in our requirements we specifically say "all we care about is our C codebase, not our website". So HackerOne bodgers apparently can't even read.
    --
    I was worried about my command. I was the scientist of the Holy Ghost.