The Air Force has kicked off a second wave of its bug bounty program, dubbed Hack the Air Force, aimed at better protecting the service’s networks.
The program allows pre-approved “ethical” hackers to penetrate certain portions of military websites in search of vulnerabilities for potential cash payouts.
The first Hack the Air Force event was described as the most successful bug bounty to date, opening up participation to international hackers for the first time. The Army and Defense Department have run similar events.
Previously unannounced, Hack the Air Force 2.0 kicked off Saturday Dec. 9 in New York City, according to a blog post from HackerOne, a bug bounty company partnering with DoD on its various bug bounty efforts. Government and Defense Department leaders have announced earlier iterations of the program.
During nine hours of hacking at the Dec. 9 event, 25 civilian hackers from seven countries along with seven airmen reported a total of 55 vulnerabilities with six members of the Defense Media Activity supporting remediation on-site. All told, the Air Force doled out $26,883 for loopholes discovered.
In one instance, a hacker reported a vulnerability in an Air Force website that was used to pivot onto DoD’s unclassified network. Under the supervision of DoD personnel, the hacker was authorized to keep digging to see how far they could go, according to HackerOne.
“We wouldn’t have found this without you,” DMA Public Web Chief of Operations James Garrett, said to the hackers.
At the conclusion of the Dec. 9 event, DoD leaders announced Hack the Air Force 2.0 will continue through Jan. 1, 2018 and will be open to citizens from the United States, Australia, Canada, New Zealand, United Kingdom as well as citizens from NATO countries. U.S. service members are also eligible to participate but are not eligible for bounties.
DoD has resolved over 3,000 vulnerabilities from public facing websites through its various bug bounty programs over the past year, HackerOne said. As a result, hackers have been paid over $300,000 in bounties.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.