Hack the Air Force Bug Bounty Program Finds 207 Vulnerabilities

The U.S. Air Force issues $133,400 in bug bounty awards to security researchers participating in the HackerOne-powered bug bounty program.

Hack the Air Force

Security researchers in May and June hacked the United States Air Force and got paid a total of $133,400 for their efforts. The Hack the Air Force bug bounty program enabled 272 hackers to take aim at a select list of public-facing USAF web assets to find and responsibly disclose vulnerabilities.

The Hack the Air Force bug bounty program was operated by HackerOne, which previously had run the Hack the Pentagon and Hack the Army bug bounty efforts. The goal of a bug bounty program is to engage with third-party security researchers to discover security issues and then reward the researchers for their efforts.

With Hack the Air Force, a total of 207 vulnerabilities were discovered and privately reported over the program's duration, which ran from May 30 until June 23. As part of the program, the USAF paid out bug bounty rewards ranging from $100 to $5,000 depending on the severity and impact of the reported flaw. Details on the specific flaws are not being publicly disclosed at this time.

"The $5,000 bounty was the largest bounty awarded for high impact vulnerabilities," Lauren Koszarek, director of communications at HackerOne, told eWEEK. "We can't identify the bounty amounts awarded to specific hackers."

Although the specific amounts of the rewards and the names of the researchers are not being publicly identified, the USAF and HackerOne are providing some general details on the breadth of participation in the bug bounty program. Among those who participated in the program is a 17-year old security researcher who was able to earn the top bounty sum for submitting a total of 30 valid bug reports. 

The Hack the Air Force bug bounty program also benefited from the participation of two active duty military personnel who were able to find flaws. Also of note: 33 of the 272 participants in the bug bounty program came from outside the United States. With HackerOne's previous Department of Defense (DoD)-sanctioned bug bounty programs, participants were required to be U.S. residents. 

"We are always impressed by the talent of the hacker community," Koszarek said. "Hack the Air Force was the first time non-U.S. hackers from the UK, Canada, New Zealand and Australia were invited to participate, and they submitted over 50 valid vulnerabilities." 

The Hack the Pentagon effort was the first bug bounty program operated by HackerOne for the DoD and ran from April 18, 2016, to May 12, 2016, awarding hackers a total of $71,200.

The Hack the Army program followed at the end of 2016, awarding researchers a total of $100,000. Koszarek noted that at $133,400 in awards, the new Hack the Air Force program is the highest paying federal bug bounty program to date.

Although the Hack the Air Force bug bounty program has now come to an end, the DoD still has a multiyear contract with HackerOne that was announced in October 2016 to help provide managed bug bounty programs and expertise.

"HackerOne has an ongoing contract with the Department of Defense, and we're ready to continue to execute these successful challenges over the coming years," Koszarek said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.