How Hackers Help NASA Stay Secure: Inside the NASA VDP

Hackers Wanted: NASA's Bug Hunt in Real

127.0.0.1

~3 min read · June 3, 2025 (Updated: June 3, 2025) · Free: Yes

NASA, the world's leading space agency, is no stranger to cyber threats. But instead of locking out hackers, NASA invites them in—ethically.

🛰️ What Is NASA's Vulnerability Disclosure Policy?

NASA's VDP, hosted on Bugcrowd, provides a legal and structured way for ethical hackers to report security flaws. The policy encourages researchers to:

Avoid disrupting production systems
Stop testing immediately upon discovering sensitive data
Report vulnerabilities confidentially and promptly
Refrain from exploiting or exfiltrating data

In return, NASA promises no legal action for good-faith research and acknowledges contributors who follow the rules.

While there's no monetary reward, researchers often earn a spot in NASA's Hall of Fame and receive official letters of appreciation.

🧠 How Hackers Have Helped NASA

1. Google Dorking for PII

In May 2024, Gaurish Bahurupi, a novice bug hunter, used Google Dorking to find exposed directories on NASA's domain. He discovered a file containing names, emails, and phone numbers of over 120 personnel from the Mars Pathfinder mission.

Google Dorking

After reporting the issue via Bugcrowd, NASA validated the vulnerability and acknowledged his contribution.

2. Local File Inclusion (LFI) Leading to Critical Access

Security researcher 0xJin identified a Local File Inclusion vulnerability in a NASA system that allowed unauthenticated users to access sensitive files like /etc/passwd.

How does LFI work?

This critical flaw, reported through Bugcrowd, earned a P1 severity rating and highlighted the importance of persistent testing.

3. Exploiting Outdated CMS for Remote Code Execution

Harish SG found that NASA was using an outdated version of the Drupal CMS, vulnerable to CVE-2018–7600. By exploiting this, he could execute arbitrary commands on NASA's servers.

He responsibly reported the issue, and NASA acknowledged his efforts after patching the vulnerability.

4. Recognition for Responsible Disclosure

In September 2024, a hacker known as @7h3h4ckv157 reported new vulnerabilities to NASA.

After the agency addressed the issues, they sent an official letter of appreciation, signed by NASA's Chief Information Officer, acknowledging the hacker's role in safeguarding their systems.

🔐 Why This Matters

NASA's approach to cybersecurity demonstrates the value of collaboration with the ethical hacking community.

For aspiring security researchers, participating in programs like NASA's VDP offers a unique opportunity to contribute to critical infrastructure protection and gain recognition for their skills.

🧭 Getting Started with NASA's VDP

Interested in contributing? Visit NASA's VDP page on Bugcrowd to learn more about the scope, guidelines, and submission process. NASA VDP (Bugcrowd)

Finding bugs in NASA isn't an easier task. But Not impossible. Need more time, patience, knowledge and mindset to dig deeper far

🔁 Found this helpful? Clap 👏, share, or leave a comment

Thank you guys…

#nasa #vdp #bug-bounty #hall-of-fame #cybersecurity