Vulnerabilities / Threats

4/26/2017
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

USAF Launches 'Hack the Air Force'

Bug bounty contest expands Defense Department outreach to the global hacker community to find unknown vulnerabilities in DoD networks.

Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.

The new Hack the Air Force contest builds on the Defense Department's Hack the Pentagon bug bounty effort by opening the contest to security specialists from Australia, Canada, New Zealand, and the United Kingdom, in addition to contestants from the US.

"That's an important part of this program: the fact that we are extending the program out to some of our close allies," says Peter Kim, CISO of the US Air Force. "When this opportunity came up, we realized that we needed to do this, we need a wider lens with a fresh set of eyes." 

Kim announced the Hack the Air Force program this afternoon at the San Francisco headquarters of HackerOne, the bug bounty security firm contracted to run the contest.

Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.

Staley notes that the DoD's Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government's first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties.

"In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities," Staley explains. "For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown."

Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. "While the money is a draw, we're also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer," he says.

Kim said the Air Force also hopes Hack the Air Force will be a way for the Air Force to find and develop new cybersecurity talent.

"The competition for technical talent in both the public and private sectors is fiercer than it has ever been," he says. "The Air Force must compete with companies like Facebook and Google for the best and brightest, particularly in the science, technology, engineering, and math fields." 

HackerOne co-founder and CTO Alex Rice says Hack the Pentagon has helped advance DoD's vulnerability disclosure and coordination efforts. "One quick lesson learned from Hack the Pentagon was that it pointed out the deficiency of vulnerability disclosure and coordination practices," Rice says. "It showed us all that there are bugs to be found, and coordinating resolutions with different parties can be difficult if it's not done every day. As a result, we launched an ongoing vulnerability disclosure program [for DoD] not tied to bounties." 

Registration for the Hack the Air Force kicks off on May 15 on HackerOne's website, and the contest runs from May 30 to June 23. Military and government employees can participate but are not eligible for compensation.

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20782
PUBLISHED: 2019-02-17
The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages.
CVE-2019-8407
PUBLISHED: 2019-02-17
HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI.
CVE-2019-8408
PUBLISHED: 2019-02-17
OneFileCMS 3.6.13 allows remote attackers to modify onefilecms.php by clicking the Copy button twice.
CVE-2016-10742
PUBLISHED: 2019-02-17
Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.
CVE-2019-8393
PUBLISHED: 2019-02-17
Hotels_Server through 2018-11-05 has SQL Injection via the API because the controller/api/login.php telephone parameter is mishandled.