Army Bug Bounty Researcher Compromises US Defense Department's Internal Network

Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to." An anonymous reader quotes Threatpost: The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.

"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."

Re:Sadly, there should be no lack of talent.

[gtall]

Your view of the U.S. military is about 30 years old. That's not how they work these days, and their attitude towards security is not all that different than your basic hairy FSF guys.

And their view of Trump is that he's a walking disaster just waiting to happen. I agree with your assessment that they aren't attracting the A-list talent. His cabinet sycophants are proof of that. When asked about guns in schools, Ms. DeVos opined about grizzlies in Montana invading schools.

His Treasury nominee does a first class backstroke. When questioned about el Presidente Tweety's remarks about having U.S. debt holders accept less than face value of the debt in repayment, he trotted out the usual Republican b.s. about an expanding economy curing the debt and deficit problem, the latter to be made worse by Tweety's plans to piss off infrastructure money on his construction buddies. When it was pointed out that even their most optimistic projections of GDP growth wouldn't cover the new deficit spending much less pay down existing debt, he whined about the senator using old figures. It was pointed out that the figures were more current than the nominee's. He then proceeded to explain that using dynamic scoring, the figures were in line. The senator told him he was full of shit. Too bad the senator's time ran out then.

In case you were wondering, static scoring is what used to be used to judge the cost of a government program. Then the Republican figured they could make the figures look so much better if they calculated the expansion of the GDP with the new government program. That's about as honest claiming I'll be rich if only I'd win the lottery. It isn't wrong, just highly unlikely.