Hackers Fly High with Air Force Bug Bounty

Written by

Following up on its by-all-accounts successful Hack the Army big bounty trial, the Pentagon has announced that the Air Force has become the second US military branch to invite hackers to do their worst.

The initiative, part of the Cyber Secure campaign sponsored by the Air Force’s CIO, is broadening the participation pool this time to include not just US citizens, but also white-hat hackers from the United Kingdom, Canada, Australia and New Zealand.

 “This outside approach—drawing on the talent and expertise of our citizens and partner-nation citizens—in identifying our security vulnerabilities will help bolster our cybersecurity. We already aggressively conduct exercises and 'red team' our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team,” said Air Force Chief of Staff Gen. David L. Goldfein.

The Department of Defense’s "Hack the Pentagon" initiative was launched by the Defense Digital Service in April 2016 as the first bug bounty program employed by the federal government. More than 1,400 hackers registered to participate in the program. Nearly 200 reports were received within the first six hours of the program’s launch, and $75,000 in total bounties was paid out to participating hackers.

Then in November, the DoD announced the Hack the Army initiative. The first vulnerability was reported within six minutes of the program launch. During the three-week program, 179 hackers participated by submitting at least one bug. In all, 416 bugs were submitted, 120 of which were actionable, meaning unique and not duplicates. Approximately $100,000 was paid out in total to researchers.

Now, it’s the Air Force’s turn.

“This is the first time the AF has opened up our networks to such a broad scrutiny,” said Peter Kim, the Air Force CISO. “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”

Registration for the Hack the Air Force event opens May 15 on the HackerOne website. The contest opens May 30 and ends June 23. 

What’s hot on Infosecurity Magazine?