Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.
The new Hack the Air Force contest builds on the Defense Department's Hack the Pentagon bug bounty effort by opening the contest to security specialists from Australia, Canada, New Zealand, and the United Kingdom, in addition to contestants from the US.
"That's an important part of this program: the fact that we are extending the program out to some of our close allies," says Peter Kim, CISO of the US Air Force. "When this opportunity came up, we realized that we needed to do this, we need a wider lens with a fresh set of eyes."
Kim announced the Hack the Air Force program this afternoon at the San Francisco headquarters of HackerOne, the bug bounty security firm contracted to run the contest.
Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.
Staley notes that the DoD's Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government's first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties.
"In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities," Staley explains. "For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown."
Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. "While the money is a draw, we're also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer," he says.
Kim said the Air Force also hopes Hack the Air Force will be a way for the Air Force to find and develop new cybersecurity talent.
"The competition for technical talent in both the public and private sectors is fiercer than it has ever been," he says. "The Air Force must compete with companies like Facebook and Google for the best and brightest, particularly in the science, technology, engineering, and math fields."
HackerOne co-founder and CTO Alex Rice says Hack the Pentagon has helped advance DoD's vulnerability disclosure and coordination efforts. "One quick lesson learned from Hack the Pentagon was that it pointed out the deficiency of vulnerability disclosure and coordination practices," Rice says. "It showed us all that there are bugs to be found, and coordinating resolutions with different parties can be difficult if it's not done every day. As a result, we launched an ongoing vulnerability disclosure program [for DoD] not tied to bounties."
Registration for the Hack the Air Force kicks off on May 15 on HackerOne's website, and the contest runs from May 30 to June 23. Military and government employees can participate but are not eligible for compensation.
- Hack The Pentagon: DoD Launches First-Ever Federal Bug Bounty Program
- A Bug Bounty Reality-Check
- US Army Challenges Security Researchers To 'Bring It On'
- US Army Bug Bounty Program Fixes 118 Flaws