The US Army shared some surprising results from its first bug bounty programme — a three-week trial in which they invite 371 security researchers “trained in figuring out how to break into computer networks they’re not supposed to”.
The Army said the experiment was a success and it received more than 400 bug reports, 118 of which were unique and actionable.
Participants who found and reported unique bugs that were fixed were paid upwards of $100,000…
The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Défense website.
The researcher got in through an open proxy, meaning the routing wasn’t shut down the way it should have been. But the researcher, without even knowing it, could get to this internal network, because there was a vulnerability with the proxy, and with the actual system.
On its own, neither vulnerability was particularly interesting, but when you pair them together, it’s serious.