Nearly 300 hackers and researchers submitted security vulnerabilities discovered in platforms used and operated by the United States Air Force as part of the military branch’s Hack the Air Force bug bounty program.
The initiative, carried out with the help of security platform HackerOne was dubbed the most successful federal bug bounty program to date, resulting in more than 200 disclosed vulnerabilities.
Hack the Air Force, which attracted 272 vetted white hat hackers, handed out more than $130,000 in total as rewards for discovering and disclosing exploitable security vulnerabilities in the public-facing systems used by the Air Force.
Hackers received prizes that ranged from $100 to $5,000 per reported vulnerability. HackerOne reported many of the top earners were under the age of 20. The hacker who left the challenge with the biggest total payout was a 17-year-old, who submitted a total of 30 valid reports.
The challenge ran from May 30 to June 23. During that 24-day window, hackers did their best to break the Air Force’s systems with the intention of sharing what they found. A total of 207 vulnerabilities were discovered during the time frame, with the first being reported in less than one minute of the program opening.
Participants from the U.S. were joined by international hackers from the United Kingdom, Canada, Australia and New Zealand—marking the first time foreigners were allowed to partake in a federal bug bounty program. Thirty-three participants in total were located outside of the United States.
Hack the Air Force is the third bug bounty program run by the U.S. Department of Defense. The first such program, Hack the Pentagon, received 138 vulnerability reports. The second effort, Hack the Army, generated 118 disclosures.
“Every organization needs to identify and fix their software vulnerabilities. The most effective way is to ask the external world for help,” Marten Mickos, CEO of HackerOne, said in a statement.
“We’ve seen news levels of success with every federal bug bounty challenge and Hack the Air Force is no exception. Activating the global hacker community to shore up their digital defenses is enabling faster progress than ever before.”
The Department of Defense launched the Hack the Air Force initiative just months after the military branch suffered a data leak that exposed thousands of Air Force documents with sensitive information, including passport numbers and social security numbers of senior and high-ranking officials and celebrities.
“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion—and in this case, hundreds of second opinions—on the health and security of our online infrastructure,” Peter Kim, U.S. Air Force Chief Information Security Officer, said.
“By engaging a global army of security researchers, we’re better able to assess our vulnerabilities and protect the Air Force’s efforts in the skies, on the ground and online,” Kim said.
The Hack the Air Force program has closed, but hackers who find security vulnerabilities in the branch’s systems are encouraged to disclose them directly to the Department of Defense through its ongoing disclosure program hosted by HackerOne.