The Hack the DTS bug bounty program uncovered dozens of vulnerabilities in the Defense Travel System serving the Department of Defense.
On 30 May, vulnerability coordination platform HackerOne revealed the results of Hack the DTS. Nineteen trusted security researchers participated in the 29-day program and submitted 100 vulnerability reports over the course of the exercise. Their findings uncovered 65 unique security weaknesses in the Defense Travel System, which facilitates the travel requirements of the U.S. Department of Defense (DoD). Nearly half (28 bugs) contained a high or critical severity warning.
For helping to make the DTS more secure, the researchers received $78,650 in reward money.
Hack the DTS proceeded under the auspices of Hack the Pentagon, one of the 10 essential bug bounty programs of 2017. The Department of Defense partnered with HackerOne to run the pilot of Hack the Pentagon in the spring of 2016. After the success of the program, DoD officials announced it would expand its contract with HackerOne to other departments. Hack the Army was the first of these initiatives, with Hack the DTS following approximately two years later..
Reina Staley, chief of staff and Hack the Pentagon program manager at Defense Digital Service, said she’s happy with the results of the Hack the DTS program. As quoted by BusinessWire:
Securing sensitive information for millions of government employees and contractors is no easy task. No system is infallible, and this assessment was the first time we employed a crowd-sourced approach to improve the security aspect of DTS. We’d like to thank the participating hackers for contributing their time to help us safeguard sensitive information.
Staley shared additional thoughts about working with white hat hackers in the video posted below.
The success of Hack the DTS underscores the value of bug bounty programs. It also highlights the need for federal departments and agencies to protect their systems against digital attacks and maintain compliance with existing standards. Tripwire can help federal agencies with both.