18 April 2020

Ethical hackers find hundreds of vulnerabilities during latest Air Force bug bounty

Andrew Eversden
Ethical hackers found more than 460 vulnerabilities in an Air Force platform during the most recent iteration of the “Hack the Air Force” program, according to a April 15 news release from security research company HackerOne.

Through “Hack the Air Force 4.0,” which ran from Oct. 23 to Nov. 20, 60 security researchers searched for vulnerabilities in an Air Force virtual data center. They ultimately earned a total of $290,000, the highest total given out through its bug bounty program so far.

At the in-person event, hackers could search for loopholes in a “specific asset” from the U.K. Ministry of Defence, the release said. The event “gave hackers the opportunity to collaborate with peers and military personnel to discover vulnerabilities," according to HackerOne.

"The U.S. Air Force provides an example of the proven impact of collaborating with hackers to bolster security,” said Jon Bottarini, federal technical program manager lead at HackerOne. “Through Defense Digital Service, the DoD has established an expansive and powerful approach to cybersecurity today, and we look forward to bringing this new challenge to the hacker community up for the task.”


Through the four ethical hacking events, the Air Force has awarded a total of about $654,000 in rewards to ethical hackers for discovering 893 vulnerabilities.

"It is the U.S. Air Force’s goal to be leaders, innovators and warriors in air, space and cyberspace,” said Michael Parker, chief information officer for U.S. Air Force deputy chief of staff for manpower, personnel, and services. “Partnering with HackerOne will allow us to take the necessary risks to harden our defenses with the assurance of a battalion of hackers on our side.”

The first Hack the Air Force event was in May 2017. Hack the Air Force 4.0 was the first event since December 2018.

So far, ethical hackers have discovered 12,000 vulnerabilities through the Department of Defense’s Hack the Pentagon initiative.

No comments: