Air Force invites hackers to a friendly dogfight
The Air Force is the latest military service to partner with HackerOne on a bug bounty competition where hackers can win prize money by finding vulnerabilities in Air Force sites.
First it was the Pentagon. Then it was the Army. Now, the Air Force is calling on hackers to take aim and fire their best cyber shots. Starting on May 15, "vetted computer specialists" can register for the Hack the Air Force bug bounty program.
"We have malicious hackers trying to get into our systems every day," said Air Force Chief Information Security Officer Peter Kim at the kickoff event held at the headquarters of HackerOne, which is running the competition.
"It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture," Kim said.
The Air Force is building on previous bounties by opening the competition to white hat hackers from "Five Eyes" nations: the U.S. plus United Kingdom, Canada, Australia and New Zealand.
The Defense Digital Service launched the Pentagon bug bounties. In January, the Air Force announced it was staffing up its own franchise of the DDS, shortly after the Army did the same.
The Hack the Pentagon competition in the spring of 2016 attracted some 1,400 participants who generated more than 1,000 vulnerability reports -- 138 were resolved, and hackers received $75,000 of prize money in return.
In late 2016, the Army advanced the concept by allowing hackers into public-facing recruiting sites containing dynamic data. In that competition, 371 participants filed more than 400 vulnerability reports, 118 of which were actionable.
That competition also opened the door to active military and government workers, which will also be the case for the Hack the Air Force competition -- though they are not eligible to collect prize money.
Coinciding with the Hack the Army event, the Department of Defense issued new guidance in coordination with the Department of Justice that provided a legal avenue for hackers to disclose vulnerabilities to the Pentagon on an ongoing basis.
"The Vulnerability Disclosure Policy is a 'see something, say something' policy for the digital domain," said former Secretary of Defense Ash Carter when the policy was announced.
Editor's note: This article was updated April 27.