Defense

Air Force shells out $26K in daylong bug bounty event

Shutterstock image 625972778 linux sql 

Security researchers participating in a bug bounty program discovered a flaw on Air Force's website that let outsiders access the Department of Defense's unclassified network.

The vulnerability was discovered as part of the Hack the Air Force 2.0 event earlier this month where 25 white-hat hackers spent several hours digging for and reporting dozens of unknown vulnerabilities for cash.

The two participants who identified the flaw at the Dec. 9 event split a $10,650 bug bounty, the largest ever from a government agency, according to the organizers of the New York City event.

The hackers, which included the Air Force's own and others from the U.S., Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia, found more than 55 vulnerabilities in nine hours, according to a Dec. 18 blog post by HackerOne, which helped put on the program. All discovered vulnerabilities were patched by the end of the day's event.

So far, the DOD has caught 3,000 vulnerabilities through bounty and bug discovery programs. Hack the Air Force is led by the Defense Digital Service and is part of the DOD's ongoing vulnerability discovery program that rewards white hat hackers for reporting vulnerabilities. The Defense Department hosted Hack the Pentagon and Hack the Army in 2016, and the Navy hosted a similar Hack the Ship event to test the vulnerabilities in the fleet software system earlier this year.

The Air Force launched its bug bounty program in May 2017.

Overall, the Air Force paid hackers $26,883 for discoveries during the December hackathon -- a drop in the bucket compared to the more than $300,000 DOD has paid out for similar efforts.

The Air Force's program will stay open through Jan. 1, 2018.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at lwilliams@fcw.com, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


Featured

  • Cybersecurity
    malware detection (Alexander Yakimov/Shutterstock.com)

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.