Home > Press Releases > December 20, 2018

U.S. Department of Defense Concludes Third “Hack the Air Force” Bug Bounty Challenge with HackerOne to Improve Cybersecurity

December 20, 2018

U.S. Air Force Resolves Over 120 Valid Vulnerabilities Surfaced by Hackers in Third Iteration of Hack the Air Force

SAN FRANCISCO-- December 20, 2018 --The U.S. Department of Defense (DoD) and HackerOne, the leading hacker-powered security platform, today announced the results of the Department’s seventh bug bounty program, Hack the Air Force 3.0. The federal government opened participation to eligible participants in 191 countries around the world, marking the most inclusive government bug bounty in history. This is also the third in a series of successful Air Force bug bounty program challenges. This bug bounty program focused on public-facing Air Force websites and services from October 19 to November 22, 2018. Nearly 30 participating hackers submitted over 120 valid vulnerabilities throughout the month-long program, and the U.S. Air Force awarded them over $130,000 for their efforts.

Hack the Air Force 3.0 allows the U.S. Department of the Air Force to find unknown security vulnerabilities with help from hackers, a best practice used by the most successful and secure software companies in the world. By doing so, the U.S. Air Force can ensure its systems and warfighters are as secure as possible.

“It’s critical to allow these researchers to uncover vulnerabilities in Air Force websites and systems, which ultimately strengthens our cybersecurity posture and decreases our vulnerability surface area," explained Capt James “JT” Thomas, Air Force Digital Service. “By opening up these types of challenges to more countries and individuals, we get a wide range of talent and experience we would normally not have access to in order to harden our networks.”

The DoD’s first ever bug bounty challenge was ‘Hack the Pentagon,’ which launched in 2016. Since then, more than 5,000 valid vulnerabilities have been reported in government systems through HackerOne. These bug bounty challenges and results include: Hack the PentagonHack the ArmyHack the Air ForceHack the Air Force 2.0Hack the Defense Travel System, and Hack the Marine Corps. With the pay only for results bug bounty model, to date the DoD has awarded over $500,000 to hackers who have reported valid flaws in the department public-facing systems.

“The U.S. Air Force is the only military organization in the world to leverage the crowdsourced security model three times,” said Marten Mickos, CEO of HackerOne. “Their relentless dedication to uncovering vulnerabilities before their adversaries through innovative measures remains unmatched. We’re honored to do our part in protecting government systems, employees and U.S. citizens.”

Hackers who become aware of any vulnerabilities can safely disclose them to the DoD at any time through its ongoing vulnerability disclosure program with HackerOne. The Defense Department launched its Vulnerability Disclosure Policy in 2016 as part of the Hack the Pentagon crowdsourced initiative to provide a legal avenue for security researchers to find and disclose vulnerabilities in any DoD public-facing systems.