The Hack the Air Force 2.0 bug bounty program kicked off earlier this month with researchers finding a critical vulnerability that could have been exploited to gain access to a network of the U.S. Department of Defense.
Hack the Air Force 2.0 started on December 9 with a live hacking competition hosted by the HackerOne platform at the WeWork Fulton Center inside the Fulton Center subway station in New York City.
During the event, Mathias Karlsson and Brett Buerhaus demonstrated how malicious actors could have breached an unclassified DoD network by exploiting a vulnerability in the Air Force’s website. They earned $10,650 for their findings, which is the largest single payout coming from any bug bounty program run by the U.S. government.
Seven U.S. Airmen and 25 civilian white hat hackers discovered a total of 55 vulnerabilities during the event, for which they earned $26,883.
Hack the Air Force 2.0 will run until January 1, 2018 and anyone can apply as long as they are a citizen or a permanent resident of Five Eyes countries, NATO countries, or Sweden. People from 31 countries can take part in the initiative, which makes it the most open government bug bounty program to date. Members of the U.S. military can also participate, but they are not eligible for bounties.
While anyone from these countries can apply, not everyone will be invited to actually take part. The Air Force will invite 600 people, 70 percent of which based on their HackerOne reputation score and the other 30 percent will be selected randomly.
“Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses,” said Air Force CISO Peter Kim. “We’re greatly expanding on the tremendous success of the first challenge by opening up approximately 300 public facing AF websites. The cost-benefit of this partnership is invaluable.”
Hack the Air Force 2.0 was announced following the success of the first Hack the Air Force program, which resulted in more than $130,000 being paid out for over 200 valid vulnerability reports.
Previous DoD bug bounty projects included Hack the Pentagon, which resulted in payouts of roughly $75,000, and Hack the Army, with rewards totaling approximately $100,000. The Pentagon has paid more than $300,000 for over 3,000 flaws discovered in its public-facing systems, but the organization estimates that it saved millions of dollars by running these programs.
Roughly one year ago, the Pentagon announced a vulnerability disclosure policy that aims to provide guidance to researchers on how to disclose security holes found in the organization’s public-facing websites. While no monetary rewards are being offered, the policy provides a legal avenue for reporting flaws.