White hat hackers find 138 holes in Pentagon websites

White hat hackers have uncovered 138 holes in five US Department of Defense public websites as part of the US government’s first ever bug bounty competition.

The DoD claimed to have saved as much as US$850,000 (A$1.1 million) by opening the web properties up to competing cyber security experts rather than calling in infosec contractors to patch its vulnerabilities.

Its ‘Hack the Pentagon’ program, which ran between April 18 and May 12 this year, cost it US$150,000, with about half that sum paid out to participating hackers.

In total, 1400 participants signed up to the bug-hunting competition. Around 250 hackers submitted reports, and 138 won a payout.

Secretary of Defense Ash Carter thanked the white hat hackers who took part in the scheme.

"We know that state-sponsored actors and black hat hackers want to challenge and exploit our networks," he said.

"What we didn't fully appreciate before this pilot was how many white hat hackers there are who want to make a difference - hackers who want to help keep our people and nation safer."

The Pentagon said it will now apply the lessons of the bug bounty experiment to a range of new cyber security policies it has in the works.

The Department of Defense is already working on a formal vulnerability disclosure process that would allow “anyone with information about vulnerabilities in DoD systems, networks, applications, or websites [to] submit it to the department without fear of prosecution”.

It also plans to duplicate the Hack the Pentagon program in other areas of the department, and to write incentives into its procurement policies that would reward suppliers who open their systems and source code for testing.

“We recognise that this is a really valuable tool.  It's a huge change for the Department of Defense in terms of how we recognise the ability for people to come in and help us secure systems themselves," Defense digital services director Chris Lynch said.

The efforts come as the DoD strives to repair trust in its information security following an attack on the Office of Personnel Management last year that compromised millions of files on government and defence employees.

Hackers were required to go background criminal checks before taking part in the Hack the Pentagon program.