Hacking the U.S. Air Force (again) from a New York City subway station

New York City during the holidays. Magical. Bringing together hackers from around the world to legally hack the U.S. Air Force. Double the magic.

On Saturday, December 9, we had our h1-212 live-hacking event in New York City. Live-hacking events bring security teams and top ethical hackers into the same venue with the initiative to discover as many vulnerabilities as possible.  

At around 2pm, just as the first snow of the season blanketed New York City, six members of the Public Web team from the Defense Media Activity (DMA) and four members of Defense Digital Service (DDS) flew down the hall of WeWork Fulton Center inside the bustling Fulton Center subway station.

Brett Buerhaus (ziot) had reported a vulnerability that they had to see for themselves. They peered over the shoulders of Brett and collaborator Mathias Karlsson (avlidienbrunn) while the hackers demonstrated how they had leveraged a vulnerability in an Air Force website to pivot onto the U.S. Department of Defense’s (DoD’s) unclassified network.

Hacker Mathias Karlsson demonstrates a critical vulnerability discovery to Jeremy Morrow, Lance Cleghorn, James Garrett, and Tim Creech from the DMA Public Web team

An officer stood there and told them to keep digging with his supervision to see how much deeper they could go. DMA Public Web Chief of Operations James Garrett turned to the hackers, shook their hands and said, “Thank you. We wouldn’t have found this without you.”

Hacker Brett Buerhaus shakes hands with DMA Public Web Chief of Operations James Garrett after finding a critical vulnerability

Buerhaus and Karlsson were rewarded with a $10,650 bounty that they split, the biggest single reward by any government bug bounty program to-date.

“I didn't expect how willing they were to work with us to figure out the issue and see how impactful it was,” said Buerhaus. “There's such a perception of the government being closed off and ready to sweep issues under the rug. It was great seeing how excited they were to work with us. This honestly changes everything, and it's clear they care about working with us to protect their interests.”

This is just one highlight from h1-212, our fourth live hacking event of 2017. The event also served as the kickoff for Hack the Air Force 2.0. Twenty-five civilian hackers, from the U.S., Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia, and seven U.S. Airmen gathered for nine straight hours of hacking, reporting a total of 55 vulnerabilities. Six members of the DMA team supported remediation on-site.

The average time to first response was 25 minutes, and every report was triaged by the end of the day. As a result, the Air Force paid out a total $26,883.

“They were impressed,” said Lt. Col. Jonathan Joshua, 24th Air Force deputy chief of staff. “As a vulnerability was identified, shortly thereafter, hackers would be attempting to highlight the vulnerability to another team of hackers...but the vulnerability had already been patched. They’d be trying to grab screen shots to prepare a post-day brief, but they couldn't because the systems were already healthy.”

Even better, Air Force and DDS announced at the conclusion of the event that this is just the beginning. The Hack the Air Force 2.0 challenge will continue through January 1, 2018 and is open to all citizens or lawful permanent residents in one of the following countries: the United States, the United Kingdom, Canada, Australia, New Zealand, Albania, Belgium, Bulgaria, Canada, Croatia, Denmark, Estonia, France, Germany, Iceland, Italy, Latvia, Lithuania, the Netherlands, Norway, Poland, Portugal, Slovenia, Spain, Sweden, or Turkey. You must have a U.S. taxpayer identification number or social security number or an employer identification number, or a valid passport number from the United Kingdom, Canada, Australia, New Zealand, Albania, Belgium, Bulgaria, Canada, Croatia, Denmark, Estonia, France, Germany, Iceland, Italy, Latvia, Lithuania, the Netherlands, Norway, Poland, Portugal, Slovenia, Spain, Sweden, or Turkey. This makes the Hack the Air Force 2.0 challenge the most open government bug bounty program to-date.

Similar to the first Hack the Air Force challenge, U.S. members of the military are eligible to participate but not eligible for bounties. If you’re interested in participating, you can register here. If you are not eligible to participate in this program but find something to report, you can always disclose them here to DoD.

Hackers Frans Rosen (fransrosen) and Mathias Karlsson collaborating with two U.S. Airmen

The U.S. Air Force has one of the hardest attack surfaces to crack. By inviting the white hat hacker community to find unknown security vulnerabilities, the Air Force is supplementing the great work their talented cybersecurity team is doing already.

"Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses,” said Air Force CISO Peter Kim. “We're greatly expanding on the tremendous success of the first challenge by opening up approximately 300 public facing AF websites. The cost-benefit of this partnership is invaluable."

Hack the Air Force 2.0 is the fourth government public bug bounty challenge to-date, all stemming from DDS, an agency team of the DoD. In 2016, the first ever government bug bounty program launched with Hack the Pentagon, closely followed by Hack the Army, the first Hack the Air Force and an ongoing vulnerability disclosure program (VDP) for the DoD that welcomes any vulnerabilities found across public-facing government entities.

“This was a first to showcase our offensive capabilities in an official capacity alongside private and commercial sectors, and international partners,” said Maj. Gen. Christopher Weggeman, 24th Air Force commander. “Not only does this program strengthen those partnerships, it allows the Air Force to both teach and learn from the best and brightest outside of the DoD.”

One year after kickoff, DoD has resolved over 3,000 vulnerabilities in public facing systems with bug bounty challenges and the ongoing VDP, and hackers have earned over $300,000 in bounties for their contributions — exceeding expectations and saving the DoD millions of dollars.

Keep up the great work, and happy hacking!

The participating U.S. Airmen and hackers at the conclusion of h1-212 in New York City on December 9, 2017

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.