It took just under a minute for hackers to report the first security vulnerability to the U.S. Air Force. Twenty-five days later when the Hack the Air Force bug bounty challenge concluded, 207 valid vulnerabilities had been discovered. Hackers will be awarded more than $130,000 for making the Air Force more secure.
Following the success of Hack The Pentagon and Hack the Army, Hack the Air Force was the U.S. Department of Defense's largest bug bounty program to date open to U.S. hackers as well as participants from Australia, Canada, New Zealand, and the United Kingdom. Active duty military personnel and civilians were also invited to participate.
Nearly 300 vetted individuals registered to participate in the Hack the Air Force bug bounty challenge and more than 50 earned bounties.
Hack the Air Force was announced by Air Force Chief Information Security Officer, Peter Kim, and Chris Lynch, Director of Defense Digital Services at HackerOne headquarters.
The Department of Defense’s Defense Digital Services pioneered the first ever Federal bug bounty challenge, Hack the Pentagon, in 2016 and is continuing to do so by engaging with the global hacker community through its ongoing vulnerability disclosure policy. Progressive leaders like Peter Kim and challenges like Hack the Air Force are redefining American defenses in the digital era, understanding that great security talent and goodwill can extend beyond our borders.
“This was the first time the Air Force opened its networks to such a broad scrutiny,” said Peter Kim, the Air Force Chief Information Security Officer, at the start of the program. “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”
Results Are In...
Two of the Hack the Air Force participants were military personnel opting to help as an act of patriotism despite being ineligible for bounties, and 33 participants came from outside the U.S. What was particularly exciting to see was the participation from the next generation of digital patriots. Some of the top participating hackers were under 20 years old, including a 17 year old from Chicago who earned the largest bounty sum for 30 discoveries. This was the highest individual sum of any federal program to date.
The biggest Federal bug bounty program to date, Hack the Air Force targeted operationally significant websites and online services. The goal of the program was to explore new approaches to its security, and to adopt the best practices used by the most successful and secure software companies in the world. And they found just that. The preliminary results made Hack the Air Force the most successful government program in history -- nearly doubling the results of the first Hack the Pentagon program a year ago.
The Hack the Air Force Bug Bounty program ran from from May 30, 2017 to June 23, 2017 and resulted in a new understanding of the Air Force’s attack surface in the form of 207 discovered real vulnerabilities, the first of which was reported in less than a minute. Within the first 24 hours, 70 reports were submitted, 23 of which were valid. Furthermore, Peter Kim and his team were more than prepared for the influx of discoveries.
Some of the reports had an initial response time of less than a minute. The average response time was 8 hours, and the average time to resolution during the challenge was 4 days. What this means is that the Air Force’s security team was extremely fast at processing reports, verifying them and resolving bugs, making them more secure, faster.
With the unprecedented success of the Air Force bug bounty pilot program, coupled with the prior work on Hack The Pentagon and Hack the Army, there is sure to be more exciting news on the horizon -- up to 17 more challenges to be exact.
In the meantime, any hackers who become aware of vulnerabilities can disclose them to the DoD’s ongoing vulnerability disclosure program on HackerOne. If you see something, say something.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.