Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/10/2017
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

White Hats Take Aim in 'Hack the Air Force' Bug Bounty Program

The inaugural Air Force bug bounty program involved 272 vetted hackers, who submitted 207 valid flaws in 24 days.

The Department of Defense (DoD) let white-hat hackers take aim at the U.S. Air Force in its latest, largest, and most successful federal bug bounty program. "Hack the Air Force" resulted in 207 valid vulnerabilities disclosed and more than $130,000 in awards to participants.

This is the third time HackerOne and the DoD have partnered on a program in which hackers are invited to hunt vulnerabilities in government networks. Earlier initiatives included Hack the Pentagon and Hack the Army, which resulted in 138 and 118 valid bugs, respectively.

Hack the Air Force was announced in April 2017 and ran from May 30 through June 23. In 24 days, hackers dug through public-facing domains for security flaws. The first vulnerability was reported in less than one minute, and 23 were submitted in the first 24 hours.

Nine of the 207 valid bugs they discovered were of high or critical severity, says HackerOne CEO Marten Mickos.

"Those are the bugs you typically will fix as soon as you possibly can," Mickos explains. "It's a good sign when you find high severity bugs because then you can fix them before an adversary will use them for malicious intent."

The program involved 272 vetted hackers representing a range of ages, professional backgrounds, and nationalities. Two participants were active duty military personnel and 33 were not from the United States - a first for this type of program. The Pentagon invited participants from outside countries including the UK, Canada, Australia, and New Zealand.

"[The DoD] and we know the diversity of the hacking community is what drives great results," said Mickos. "The more countries we allow into the program, the more likely you'll find vulnerabilities you wouldn't always find."

To his point, participants from outside the US discovered 50 of the 207 total valid vulnerabilities. While it's possible future programs will include the international community, Mickos says this decision will likely be made on a case-by-case basis.

Over the course of the program, participants worked remotely using their own tools. hackerOne filtered their reports, determined their validity, and submitted bugs to the DoD.

"They don't need any expensive infrastructure or expensive access," Mickos explains. "They are trying to mimic what a criminal would do … they have to think like the bad guys."

Will future programs expand to include more hackers? It's possible, but Mickos thinks the current size at 272 is both small and varied enough to be easily manageable and drive participants to compete. If it were larger, or exclusive to solely advanced hackers, the results may be less diverse and fruitful.

"On the one hand, you would want to invite only the best hackers," he says. "On the other hand, you must create diversity and have many points of view, and have people competing with one another.

Financial compensation for vulnerabilities ranged from $100 to $5,000 per valid bug. The program's highest earner was a 17-year-old hacker who submitted 30 valid reports.

HackerOne and the DoD have an ongoing contract for challenges like this. It's worth noting that although Hack the Air Force is now closed, hackers who discover vulnerabilities can still report them to the DoD, which has an ongoing disclosure program running on HackerOne.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
CVE-2020-1791
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.