The four-week Hack the Army scheme generated 416 vulnerability reports (nearly 30 percent of which are unique and actionable) and approximately $100,000 for security researchers and bug hunters.
The most significant flaw—as reported by HackerOne, a security consulting firm under contract with the Pentagon—was uncovered due to a series of chained vulnerabilities that unwittingly took a hacker from the public-facing goarmy.com site to an internal Department of Defense page usually requiring special credentials to access.
"On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious," HackerOne explained.
The Army remediation team and Army Cyber Protection Brigade stepped in to patch the hole.
HackerOne (Score:2)
And I don't hold them in very high regard, as all we've got from them is that "your webshop has some information leak vulnerabilities". We don't use the webshop, haven't done for about 3 years (yeah, we should turn it off really, it doesn't sell anything), and - and this is the killer - in our requirements we specifically say "all we care about is our C codebase, not our website". So HackerOne bodgers apparently can't even read.
