Hack the Air Force 2.0, which kicked off recently with 25 of the top-ranking hackers from around the world being flown in Manhattan to find vulnerabilities in mission-critical software, has paid out $10,650 in a top bounty.
This, the largest single reward by any US government bug bounty program to date, was given to Brett Buerhaus (ziot) and collaborator Mathias Karlsson (avlidienbrunn) for finding a vulnerability that allowed the hackers to pivot onto the Department of Defense’s unclassified network.
“I didn't expect how willing they were to work with us to figure out the issue and see how impactful it was,” said Buerhaus. “There's such a perception of the government being closed off and ready to sweep issues under the rug. It was great seeing how excited they were to work with us. This honestly changes everything, and it's clear they care about working with us to protect their interests.”
This is just one highlight from h1-212, the Air Force’s fourth live hacking event of 2017. Twenty-five civilian hackers, from the US, Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia, and seven US Airmen, gathered for nine straight hours of hacking, reporting a total of 55 vulnerabilities.
In all, $26,883 was was paid out to participating hackers, supported by six members of the Air Force remediation staff. The average time to first response was 25 minutes, and every report was triaged by the end of the day.
“They were impressed,” said Lt. Col. Jonathan Joshua, 24th Air Force deputy chief of staff. “As a vulnerability was identified, shortly thereafter, hackers would be attempting to highlight the vulnerability to another team of hackers...but the vulnerability had already been patched. They’d be trying to grab screen shots to prepare a post-day brief, but they couldn't because the systems were already healthy.”
The event also served as the kickoff for Hack the Air Force 2.0, which is open to 31 countries (the Five Eyes countries of Australia, Canada, New Zealand, United Kingdom and United States, NATO countries and Sweden), making it the most open government bug bounty program to-date. The challenge will continue through January 1, 2018.
Also, US members of the military are eligible to participate but not eligible for bounties.
"Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses,” said Air Force CISO Peter Kim. “We're greatly expanding on the tremendous success of the first challenge by opening up approximately 300 public-facing Air Force websites. The cost-benefit of this partnership is invaluable."
One year after kickoff, DoD has resolved over 3,000 vulnerabilities in public-facing systems, and hackers have earned over $300,000 in bounties for their contributions—exceeding expectations and saving the DoD millions of dollars.
“This was a first to showcase our offensive capabilities in an official capacity alongside private and commercial sectors, and international partners,” added Maj. Gen. Christopher Weggeman, 24th Air Force commander. “Not only does this program strengthen those partnerships, it allows the Air Force to both teach and learn from the best and brightest outside of the DoD.”