Security researchers celebrated the 4th of July by swamping the US Department of Defense’s new bug bounty competition, forcing it to shut hours after launch – then reopen today.
The DoD bug bounty “Hack U.S” challenge, administered by HackerOne and the DoD’s DC3 Vulnerability Disclosure Program, promised $110,000 in bounties and bonuses for vulns reported between 4 and 11 July. The contest would pay out $1,000 for a critical vulnerability and $500 for a high (capped at $75,000 in total), as well as 10 $3,000 bonuses for best find across different DoD domains, and a $5,000 bonus for best overall find.
A full list of valid web targets is available on Github – non-web vulnerabilities will also be considered.
Submissions to the DoD bug bounty contest opened at 10am Eastern US time, and were scheduled to be open until 11 July. But DC3 closed submissions within just a few hours, apparently after the VDP was overwhelmed by vulnerabilities.
An update on the Hack U.S. page said: “At ease, soldiers! The findings have been outstanding out of the gate, and we’ll need some time to review the reports. We’ll be pausing submissions and should have an update on our next move later today. Thank you for your interest and participation!”
After another update in the early hours of the morning, the DoD bug bounty competition said it would reopen for submissions at 10am Eastern US time today. This suggests despite the large number of submissions, the prize pot has not yet been exhausted (although the competition’s T&Cs make it clear it’s your tough luck if you submit too late for a prize).
The 18 Hack U.S. participants thanked by the contest had earned a total of 856 reputation points at time of writing (this number is changing, presumably as more submissions are evaluated). HackerOne’s reputation system awards a maximum 7 points for a “triaged or resolved” report, with 2 points for a duplicate report, and negative points for some other submissions.
Based on this, The Stack’s back-of-the-envelope calculations suggest valid submissions are well into double digits, and could be approaching 100.
(The theoretical maximum based on these numbers is 122, but this assumes no duplicates – if the majority of reports are duplicates, then the number of unique vulnerabilities reported could be much lower. But even assuming each vulnerability was reported three times, that would still suggest submissions of around 77 unique vulns).
DoD bug bounty payouts still possible
As Hack U.S. will only pay out prizes for critical or high vulnerabilities, with nothing for medium and low, there’s likely still a way to go. Even assuming a catastrophic 25 critical vulnerabilities were reported, that would still allow for 100 high vulns to receive DoD bug bounty payouts.
But based on the enthusiasm shown by security researchers, we would be surprised if the competition lasts the full seven days.
HackerOne declined to comment on the DoD bug bounty competition, but said more information will be available “in the coming weeks”.