Air Force Pays Out Government’s Biggest Bug Bounty Yet


White-hat hackers and military cyber specialists teamed up for the latest Hack the Air Force program.

On Dec. 9, a group of elite hackers once again found themselves deep within critical Air Force networks, probing for security gaps that could put the branch’s online operations at risk. And this time, military cyber specialists joined them in the hunt.

The H1-212 hackathon partnered military cyber specialists with an A-list group of 25 ethical hackers from the United States, Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia to scour roughly 300 branch websites for vulnerabilities. The cybersecurity platform HackerOne hosted the nine-hour event in New York City and hand-picked participants from their Top 50 global ranking.

Participants discovered two bugs within the first 30 seconds of the competition, and after 9 hours, they uncovered 55 vulnerabilities worth a total of $26,883 in bounties. This included one critical bug that earned a pair of hackers $10,650, the largest single award in any government bug bounty program so far.

“Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses,” said Air Force Chief Information Security Officer Peter Kim in a statement. ”The cost-benefit of this partnership in invaluable.”

The H1-212 event kicked off Hack the Air Force 2.0, a larger bug bounty program that is running through Jan. 1. Unlike the original Hack the Air Force bug bounty, the second iteration is open to citizens of the Five Eyes countries—Australia, Canada, New Zealand, United Kingdom and United States—as well as NATO countries and Swedish citizens, making it the government’s most open bug bounty program to-date.

The live event was an overall success, HackerOne Chief Technology Officer Alex Rice told Nextgov, and in the weeks since then, participants in the public bug bounty have reported a number of vulnerabilities that went undetected in H1-212.

“The larger DOD program with HackerOne has now resolved over 3,000 vulnerabilities in public-facing systems with bug bounty challenges and the ongoing [vulnerability disclosure program],” he said. “Hackers have earned over $300,000 in bounties for their contributions, exceeding expectations and saving DOD millions of dollars.”

Bug bounty programs recruit ethical or white-hat hackers to find security holes within an organization’s computer networks. Vulnerabilities can range from low-risk flaws to major problems capable of corrupting the entire network or exposing sensitive information.

HackerOne has led four government bug bounty programs so far, including Hack the Air Force 2.0, and the company’s Chief Executive Officer Marten Mickos told Nextgov he sees enormous potential for his self-described “talent agency” of white-hat cyber specialists.

Bug bounties bring fresh eyes to organizations that may fail to recognize their own security flaws, Mickos said. By looking at the software from the same angle as potential criminals, participants can point out the vulnerabilities they will most likely exploit.

“In the past, people looked for security inside, in small groups and in secrecy,” he said. “Now we are showing that, to be the most secure, you have to invite the external world to help you.”

While public events like Hack the Air Force 2.0 can draw people from around the world together to work on a single project, there are unique benefits to in-person bug bounty events, according to H1-212 participant Jack Cable.

At 17 years old, Cable was the youngest hacker at the event, but as the winner of the first Hack the Air Force challenge, he’s a veteran bug bounty hunter. Cable told Nextgov he benefited from the vast amount of “shared knowledge” that came from putting a group of experts in the same room. It also sped up the hacking, he said.

“In the first Hack the Air Force, everything was done online, so it could be a few hours or days before you get a response from [the Air Force],” Cable said. “[At H1-212], it was more responsive. There was a lot more motivation to find stuff when you’re working directly with them.”