Air Force Demands Researchers to Hack It and Then Gives Record Bounties
The Hack the Air Force 2.0 challenge has led to researchers discovering over 106 security vulnerabilities across over 300 of the United States Air Force's public websites. 55 of these bugs were discovered during the live kick-off event in New York in December. One of these vulnerabilities also got its discoverer $12,500 in bug bounty - the largest bug bounty award paid by a federal program.
Hack the Air Force 2.0 is part of the Department of Defense’s (DoD) Hack the Pentagon crowd-sourced security initiative that was launched in 2016. Among other countries, hackers from the US, Canada, UK, Sweden, Netherlands, Belgium, and Latvia participated in the second Hack the Air Force hackathon. The USAF security hackathon paid out a total of $103,883 in bug disclosure rewards. While a big expenditure by a federal hackathon, Google in comparison paid $112,500 to a single hacker this past year for one security bug alone.
"Hacker-powered security is emerging as the most potent cure to the sorry state of software security,” HackerOne that organized this event for the DoD said. "The vulnerabilities that go unnoticed by scanners and other expensive security products are more quickly and more cost-effectively found by ethical hackers."
The Department of Defense said that over 3,000 security vulnerabilities have been resolved since the launch of the first federal bug disclosure program back in 2016 under the larger Hack the Pentagon program. The government has paid over $233,000 in these rewards to date.
"We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” Air Force CISO Peter Kim said in a press release. "This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come."