Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/26/2017
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

USAF Launches 'Hack the Air Force'

Bug bounty contest expands Defense Department outreach to the global hacker community to find unknown vulnerabilities in DoD networks.

Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.

The new Hack the Air Force contest builds on the Defense Department's Hack the Pentagon bug bounty effort by opening the contest to security specialists from Australia, Canada, New Zealand, and the United Kingdom, in addition to contestants from the US.

"That's an important part of this program: the fact that we are extending the program out to some of our close allies," says Peter Kim, CISO of the US Air Force. "When this opportunity came up, we realized that we needed to do this, we need a wider lens with a fresh set of eyes." 

Kim announced the Hack the Air Force program this afternoon at the San Francisco headquarters of HackerOne, the bug bounty security firm contracted to run the contest.

Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.

Staley notes that the DoD's Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government's first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties.

"In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities," Staley explains. "For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown."

Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. "While the money is a draw, we're also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer," he says.

Kim said the Air Force also hopes Hack the Air Force will be a way for the Air Force to find and develop new cybersecurity talent.

"The competition for technical talent in both the public and private sectors is fiercer than it has ever been," he says. "The Air Force must compete with companies like Facebook and Google for the best and brightest, particularly in the science, technology, engineering, and math fields." 

HackerOne co-founder and CTO Alex Rice says Hack the Pentagon has helped advance DoD's vulnerability disclosure and coordination efforts. "One quick lesson learned from Hack the Pentagon was that it pointed out the deficiency of vulnerability disclosure and coordination practices," Rice says. "It showed us all that there are bugs to be found, and coordinating resolutions with different parties can be difficult if it's not done every day. As a result, we launched an ongoing vulnerability disclosure program [for DoD] not tied to bounties." 

Registration for the Hack the Air Force kicks off on May 15 on HackerOne's website, and the contest runs from May 30 to June 23. Military and government employees can participate but are not eligible for compensation.

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4019
PUBLISHED: 2020-06-01
The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability.
CVE-2020-4020
PUBLISHED: 2020-06-01
The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure.
CVE-2020-4021
PUBLISHED: 2020-06-01
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
CVE-2020-4023
PUBLISHED: 2020-06-01
The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter.
CVE-2020-4013
PUBLISHED: 2020-06-01
The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives.