Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Over $100,000 Paid Out in ‘Hack the Air Force 2.0’

HackerOne on Thursday announced the results of a bug bounty challenge run by the U.S. Air Force on its platform. More than $100,000 were paid out for over 100 vulnerabilities reported during Hack the Air Force 2.0.

HackerOne on Thursday announced the results of a bug bounty challenge run by the U.S. Air Force on its platform. More than $100,000 were paid out for over 100 vulnerabilities reported during Hack the Air Force 2.0.

The challenge ran between December 9 and January 1. The U.S. Department of Defense paid out a total of $103,883 for 106 valid vulnerability reports submitted by 27 hackers from the U.S., Canada, U.K., Sweden, Netherlands, Belgium and Latvia.

The largest single payout, which is also the highest reward in any federal bug bounty program to date, was $12,500.

Of the 106 flaws, 55 were discovered on the first day of Hack the Air Force 2.0 during a live hacking event at the WeWork Fulton Center inside the Fulton Center subway station in New York City.Hack the Air Force 2.0

Seven U.S. Airmen and 25 civilians earned a total of over $26,000 on the first day, including $10,650 by Mathias Karlsson and Brett Buerhaus, who demonstrated how malicious actors could have breached an unclassified DoD network by exploiting a vulnerability in the Air Force’s website.

“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” said Air Force CISO Peter Kim. “This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.”

The first edition of Hack the Air Force paid out more than $130,000 for 207 valid vulnerability reports. The bug bounty challenges run by the Pentagon on the HackerOne platform since 2016 led to the discovery and patching of more than 3,000 vulnerabilities, with a total of over $400,000 awarded to white hat hackers.

The Pentagon also has a vulnerability disclosure policy that aims to provide guidance to researchers on how to disclose security holes found in the organization’s public-facing websites. While no monetary rewards are being offered, the policy provides a legal avenue for reporting flaws.

Related: HackerOne Offers Free Service to Open Source Projects

Advertisement. Scroll to continue reading.

Related: General Services Administration Launches Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...