Defense

Air Force shells out $26K in daylong bug bounty event

Shutterstock image 625972778 linux sql 

Security researchers participating in a bug bounty program discovered a flaw on Air Force's website that let outsiders access the Department of Defense's unclassified network.

The vulnerability was discovered as part of the Hack the Air Force 2.0 event earlier this month where 25 white-hat hackers spent several hours digging for and reporting dozens of unknown vulnerabilities for cash.

The two participants who identified the flaw at the Dec. 9 event split a $10,650 bug bounty, the largest ever from a government agency, according to the organizers of the New York City event.

The hackers, which included the Air Force's own and others from the U.S., Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia, found more than 55 vulnerabilities in nine hours, according to a Dec. 18 blog post by HackerOne, which helped put on the program. All discovered vulnerabilities were patched by the end of the day's event.

So far, the DOD has caught 3,000 vulnerabilities through bounty and bug discovery programs. Hack the Air Force is led by the Defense Digital Service and is part of the DOD's ongoing vulnerability discovery program that rewards white hat hackers for reporting vulnerabilities. The Defense Department hosted Hack the Pentagon and Hack the Army in 2016, and the Navy hosted a similar Hack the Ship event to test the vulnerabilities in the fleet software system earlier this year.

The Air Force launched its bug bounty program in May 2017.

Overall, the Air Force paid hackers $26,883 for discoveries during the December hackathon -- a drop in the bucket compared to the more than $300,000 DOD has paid out for similar efforts.

The Air Force's program will stay open through Jan. 1, 2018.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at lwilliams@fcw.com, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.