Finding Auth Bypass Across 60 Military Deployments

Anduril Industries builds defense technology. Their Lattice platform is the command-and-control system that ties together autonomous drones, sensors, and battlefield awareness tools. It is deployed across military and government environments. This is not a startup playing pretend. This is real defense infrastructure used by real operators.

While testing Anduril's bug bounty program, we found an authentication vulnerability in Lattice that allowed redirecting authenticated users to attacker-controlled URLs after completing SSO login. The issue existed in the authentication flow itself, meaning it was present everywhere Lattice was deployed.

That turned out to be over 60 instances. Production environments, development environments, and military deployments. All of them shared the same authentication implementation, so the vulnerability was systemic. One bug, replicated across every deployment of the platform.

The business impact was significant. An attacker could intercept authenticated sessions by directing users to a malicious destination after they completed a legitimate SSO login. In a military context, the consequences of credential theft go well beyond the typical bug bounty scenario.

We reported the finding through Anduril's HackerOne program. Their security team responded quickly and took the issue seriously. The fix required changes to the core authentication flow, which then needed to propagate across all 60 deployments.

What we like about this finding is that it shows how a single auth flaw can scale. Most people think of vulnerabilities as isolated to one application. But when a platform is deployed dozens of times across sensitive environments, one bug becomes sixty bugs. That is the kind of impact that makes bug bounty work feel meaningful.