Air Force shells out $26K in daylong bug bounty event

During a live-hacking event in New York City earlier this month, 25 security researchers uncovered nearly 60 unknown vulnerabilities.

Shutterstock image 625972778 linux sql
 

Security researchers participating in a bug bounty program discovered a flaw on Air Force's website that let outsiders access the Department of Defense's unclassified network.

The vulnerability was discovered as part of the Hack the Air Force 2.0 event earlier this month where 25 white-hat hackers spent several hours digging for and reporting dozens of unknown vulnerabilities for cash.

The two participants who identified the flaw at the Dec. 9 event split a $10,650 bug bounty, the largest ever from a government agency, according to the organizers of the New York City event.

The hackers, which included the Air Force's own and others from the U.S., Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia, found more than 55 vulnerabilities in nine hours, according to a Dec. 18 blog post by HackerOne, which helped put on the program. All discovered vulnerabilities were patched by the end of the day's event.

So far, the DOD has caught 3,000 vulnerabilities through bounty and bug discovery programs. Hack the Air Force is led by the Defense Digital Service and is part of the DOD's ongoing vulnerability discovery program that rewards white hat hackers for reporting vulnerabilities. The Defense Department hosted Hack the Pentagon and Hack the Army in 2016, and the Navy hosted a similar Hack the Ship event to test the vulnerabilities in the fleet software system earlier this year.

The Air Force launched its bug bounty program in May 2017.

Overall, the Air Force paid hackers $26,883 for discoveries during the December hackathon -- a drop in the bucket compared to the more than $300,000 DOD has paid out for similar efforts.

The Air Force's program will stay open through Jan. 1, 2018.