Over 460 Vulnerabilities Resolved in Tenth Bug Bounty Challenge with U.S. Department of Defense Thanks to Hackers on HackerOne

U.S. Air Force awards hackers over $290,000 in fourth ‘Hack the Air Force’ Challenge with HackerOne 

SAN FRANCISCO — April  15, 2020 — In partnership with the Defense Digital Service, the U.S. Department of Defense (DoD) and HackerOne, the number one hacker-powered security platform, today announced the results of the DoD’s tenth hacker-powered Challenge and fourth Air Force program, ‘Hack the Air Force 4.0.’ The bug bounty challenge invited white hat hackers to discover and disclose vulnerabilities within the Air Force Virtual Data Center — a pool of cloud-based servers and systems — so they can be safely resolved. Over the four-week long Challenge 60 vetted hackers reported over 460 vulnerabilities, earning more than $290,000 for helping the U.S. Air Force boost security between the remote and live hacking Challenge. 

The remote challenge ran from October 23 to November 20, 2019, with a live hacking element on November 7, 2019 during HackerOne’s live hacking event, h1-213, that took place in Los Angeles. The scope for this in-person component also featured a specific asset from the U.K. Ministry of Defence, and gave hackers the opportunity to collaborate with peers and military personnel to discover vulnerabilities in the Virtual Data Center.

“It is the U.S. Air Force’s goal to be leaders, innovators and warriors in air, space and cyberspace,” said Dr. Michael Parker, Chief Information Officer for U.S. Air Force Deputy Chief of Staff for Manpower, Personnel, and Services. “Partnering with HackerOne will allow us to take the necessary risks to harden our defenses with the assurance of a battalion of hackers on our side.” 

HackerOne has been a trusted partner for the Department of Defense for over three years, with collaboration from 500,000 hackers worldwide. The first Hack the Air Force Challenge ran in May 2017, when nearly 300 hackers discovered 207 valid vulnerabilities and earned over $130,000 in bounties (monetary rewards for valid findings). Hack the Air Force 2.0 ran in January 2018 when just 27 trusted hackers reported 106 vulnerabilities and earned $103,883 in bounties. The most recent Challenge, Hack the Air Force 3.0, concluded in December 2018. During the Challenge, 30 participating hackers submitted over 120 valid vulnerabilities throughout the month-long program and were awarded over $130,000 for their efforts. 

"We're thrilled to partner once again with the U.S. Air Force and HackerOne for this next iteration of 'Hack The Air Force'," said Anil Dewan, Digital Service Expert, Defense Digital Service. "This Challenge allowed us to not only expand our relationships with U.S. Air Force and HackerOne, but also expand the program to new U.S. Air Force assets to further bolster cyber defenses against our adversaries."

Since the launch of Hack the Pentagon over three years ago, the U.S. Department of Defense has resolved over 12,000 vulnerabilities thanks to ethical hackers, boosting its security across government entities. Last year the government agency completed its second Challenge with the U.S. Army and concluded its ‘Hack the Proxy’ Challenge with U.S. Cyber Command. Each previous bug bounty Challenge has invited trusted hackers to find vulnerabilities across different attack surfaces, securing digital defenses from adversaries. 

“The U.S. Air Force provides an example of the proven impact of collaborating with hackers to bolster security,” said Jon Bottarini, Federal Technical Program Manager lead at HackerOne. “Through Defense Digital Service, the DoD has established an expansive and powerful approach to cybersecurity today, and we look forward to bringing this new challenge to the hacker community up for the task.”

For more information about the Los Angeles live hacking event h1-213, please visit: https://www.hackerone.com/blog/live-hacking-us-air-force-uk-ministry-defence-and-verizon-media-los-angeles-h1-213.