Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/26/2017
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

USAF Launches 'Hack the Air Force'

Bug bounty contest expands Defense Department outreach to the global hacker community to find unknown vulnerabilities in DoD networks.

Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.

The new Hack the Air Force contest builds on the Defense Department's Hack the Pentagon bug bounty effort by opening the contest to security specialists from Australia, Canada, New Zealand, and the United Kingdom, in addition to contestants from the US.

"That's an important part of this program: the fact that we are extending the program out to some of our close allies," says Peter Kim, CISO of the US Air Force. "When this opportunity came up, we realized that we needed to do this, we need a wider lens with a fresh set of eyes." 

Kim announced the Hack the Air Force program this afternoon at the San Francisco headquarters of HackerOne, the bug bounty security firm contracted to run the contest.

Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.

Staley notes that the DoD's Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government's first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties.

"In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities," Staley explains. "For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown."

Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. "While the money is a draw, we're also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer," he says.

Kim said the Air Force also hopes Hack the Air Force will be a way for the Air Force to find and develop new cybersecurity talent.

"The competition for technical talent in both the public and private sectors is fiercer than it has ever been," he says. "The Air Force must compete with companies like Facebook and Google for the best and brightest, particularly in the science, technology, engineering, and math fields." 

HackerOne co-founder and CTO Alex Rice says Hack the Pentagon has helped advance DoD's vulnerability disclosure and coordination efforts. "One quick lesson learned from Hack the Pentagon was that it pointed out the deficiency of vulnerability disclosure and coordination practices," Rice says. "It showed us all that there are bugs to be found, and coordinating resolutions with different parties can be difficult if it's not done every day. As a result, we launched an ongoing vulnerability disclosure program [for DoD] not tied to bounties." 

Registration for the Hack the Air Force kicks off on May 15 on HackerOne's website, and the contest runs from May 30 to June 23. Military and government employees can participate but are not eligible for compensation.

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...