USAF pays out $123K in 3-month bug bounty contest

Registration opens for DOD bug bounty program 

The results are in for the Air Force's newly completed vulnerability assessment for its internal cloud-based Common Computing Environment.

The Cloud One/CCE Program Office at Hanscom Air Force Base and Bugcrowd found 54 vulnerabilities, most notably from gaining access to certain roles or configurations to which they were not assigned, during a three-month continuous monitoring assessment that ran from March 18 to June 21.

The duration of the crowdsourced hacking event is what set this one apart from the other bug bounties the Air Force has run, James Thomas of Air Force Digital Services told FCW via phone.

"We've been wondering how to use bug bounty from a continuous monitoring [perspective], but haven't really done that to date," Thomas said, noting that traditional bug bounty runs tend to last up to four weeks.

The bounty run doled out $123,000 in rewards with $20,000 being the top prize.

The Air Force's Common Computing Environment centralizes application hosting on two cloud platforms: Amazon Web Services and Microsoft Azure. The Air Force has been accelerating its cloud migrations, pushing its use of fast-track authority to operate and hopes to migrate more than 100 applications this year and the bug bounty program helps with security posture through a $34 million contract extension.

Air Force Maj. Bryan Lewis, Air Force spokesperson, told FCW via email, the latest assessment increased the service's "confidence in our security architecture and exposed the cloud environments to a very thorough test." Additionally, all issues BugCrowd discovered have been remedied and the Air Force is employing a "different set of 'hackers' to perform additional testing against specific applications" to improve security posture.

"Cloud One/CCE intends to keep employing bug bounties and we're pursuing contract vehicles to keep this as a part of our normal operations," Lewis said.

The assessment had six parts: source code analysis; AWS environment testing; Azure environment testing; Black Box network-authentication assessment; social engineering engagement, which evaluated tier 1 and 2 support desk user access; and Air Force portal testing of applications already hosted inside the environment.

Zero-trust networking, the practice of automatically denying access except for approved requests, wasn't tested during this assessment because the goal was to figure out how much users with Tier 1 or 2 support desk permissions could access.

While it's unclear when the next bug bounty hunt will happen, the hope is that more shareholders take advantage of the full-source analysis program where it fits. "The more we run these bounties and stakeholders see the benefit, the more folks come to us," said Clair Koroma,a Defense Digital Service expert with the title of bureaucracy hacker.

The Air Force plans "on using this as much as possible, a tool among many tools for finding risks inside the systems," said Alex Romero another DDS bureaucracy hacker. "When we have hard problems," he said, "this is a great way to test vulnerabilities and determine the risk left over."

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.