Defense

Air Force shells out $26K in daylong bug bounty event

Shutterstock image 625972778 linux sql 

Security researchers participating in a bug bounty program discovered a flaw on Air Force's website that let outsiders access the Department of Defense's unclassified network.

The vulnerability was discovered as part of the Hack the Air Force 2.0 event earlier this month where 25 white-hat hackers spent several hours digging for and reporting dozens of unknown vulnerabilities for cash.

The two participants who identified the flaw at the Dec. 9 event split a $10,650 bug bounty, the largest ever from a government agency, according to the organizers of the New York City event.

The hackers, which included the Air Force's own and others from the U.S., Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia, found more than 55 vulnerabilities in nine hours, according to a Dec. 18 blog post by HackerOne, which helped put on the program. All discovered vulnerabilities were patched by the end of the day's event.

So far, the DOD has caught 3,000 vulnerabilities through bounty and bug discovery programs. Hack the Air Force is led by the Defense Digital Service and is part of the DOD's ongoing vulnerability discovery program that rewards white hat hackers for reporting vulnerabilities. The Defense Department hosted Hack the Pentagon and Hack the Army in 2016, and the Navy hosted a similar Hack the Ship event to test the vulnerabilities in the fleet software system earlier this year.

The Air Force launched its bug bounty program in May 2017.

Overall, the Air Force paid hackers $26,883 for discoveries during the December hackathon -- a drop in the bucket compared to the more than $300,000 DOD has paid out for similar efforts.

The Air Force's program will stay open through Jan. 1, 2018.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at lwilliams@fcw.com, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


Featured

  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/Shutterstock.com)

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/Shutterstock.com)

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.