The Air Force just completed the second iteration of its bug bounty program, known as Hack the Air Force.

HackerOne, the service’s industry partner that helped to lead the program, announced the results of the program, citing 106 total valid vulnerabilities reported and $103,883 paid out to participating ethical, white hat hackers that disclosed vulnerabilities over the 20-day period.

Hack the Air Force 2.0 follows the first iteration of the program that launched in April 2017 and follows similar efforts launched by the Army and the Pentagon. To date, $12,500 has been the highest bounty paid and over 3,000 total vulnerabilities have been resolved in government systems since the first federal bug bounty, Hack the Pentagon, was launched in 2016.

“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” said Air Force CISO Peter Kim. “This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.”

Alex Rice, CTO of HackerOne, told Fifth Domain that this was the first time the white hats were sitting side-by-side with Air Force personnel, hacking live as opposed to the classic remote aspect of bug bounties. The benefit of collaboration, said Rice, is that it allowed for some of the Air Force offensive cyber personnel to learn from the techniques and insights of the white hat hackers, who may approach a problem differently.

The Air Force’s CIO and chief of information dominance said this experience adds value to Air Force personnel.

“I feel like we’re practicing for gameday as opposed to practicing against little league folks and then showing up for the big game not prepared,” Lt. Gen. Bradford Shwedo, told Fifth Domain following a keynote address at a Feb. 14 AFCEA hosted event in Falls Church, Virginia.

“Seeing the threat, seeing the [tactics, techniques and procedures] and getting them ready. I don’t want them seeing the same preprogrammed scripts over and over again and these guys bring unique capabilities and things to the fight.”

Shwedo said that as long as he’s in his current role there will be more efforts like this.

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

More In