Hackers Find 138 Different Security Gaps In Pentagon Websites

An anonymous reader writes from a report via ABC News: High-tech hackers brought in by the Pentagon to breach Defense Department websites were able to burrow in and find 138 different security gaps, Defense Secretary Ash Carter said Friday. The white-hat hackers were offered various bounties if they could find vulnerabilities on five of the Pentagon's internet pages. The Pentagon says 1,410 hackers participated in the challenge and that the first gap was found just 13 minutes after the hunt began. Overall, 1,189 vulnerabilities were found, though only 138 were deemed valid and unique. The experiment cost $150,000, and about half of it was paid to the hackers as bounties. The "Hack the Pentagon" program will be followed by a series of initiatives, including a process that will allow anyone who finds a security gap in Defense Department systems to report it without fear of prosecution.

Re:without fear of prosecution

[Sarten-X]

It should be noted that vulnerability reporting is almost always without fear of prosecution, unless you actually committed a crime.

Testing the vulnerability is usually a crime.

Exploiting the vulnerability just to show how it works? Also a crime.

Breaking other unrelated laws to figure out the vulnerability? Also a crime.

Using social engineering to get access to a system where you think there's a vulnerability? Probably also a crime.

I'm not saying it's right, but it's the reality. What's not a crime is figuring out (through lawful means) what platform a service runs on, and setting up your own similar configuration or otherwise conducting hands-off research, then using that to determine candidate vulnerabilities, then reporting those for validation.