USAF pays out $123K in 3-month bug bounty contest

The Air Force found 54 vulnerabilities following its first assessment focusing on continuous monitoring of the cloud-based Common Computing Environment.

Registration opens for DOD bug bounty program
 

The results are in for the Air Force's newly completed vulnerability assessment for its internal cloud-based Common Computing Environment.

The Cloud One/CCE Program Office at Hanscom Air Force Base and Bugcrowd found 54 vulnerabilities, most notably from gaining access to certain roles or configurations to which they were not assigned, during a three-month continuous monitoring assessment that ran from March 18 to June 21.

The duration of the crowdsourced hacking event is what set this one apart from the other bug bounties the Air Force has run, James Thomas of Air Force Digital Services told FCW via phone.

"We've been wondering how to use bug bounty from a continuous monitoring [perspective], but haven't really done that to date," Thomas said, noting that traditional bug bounty runs tend to last up to four weeks.

The bounty run doled out $123,000 in rewards with $20,000 being the top prize.

The Air Force's Common Computing Environment centralizes application hosting on two cloud platforms: Amazon Web Services and Microsoft Azure. The Air Force has been accelerating its cloud migrations, pushing its use of fast-track authority to operate and hopes to migrate more than 100 applications this year and the bug bounty program helps with security posture through a $34 million contract extension.

Air Force Maj. Bryan Lewis, Air Force spokesperson, told FCW via email, the latest assessment increased the service's "confidence in our security architecture and exposed the cloud environments to a very thorough test." Additionally, all issues BugCrowd discovered have been remedied and the Air Force is employing a "different set of 'hackers' to perform additional testing against specific applications" to improve security posture.

"Cloud One/CCE intends to keep employing bug bounties and we're pursuing contract vehicles to keep this as a part of our normal operations," Lewis said.

The assessment had six parts: source code analysis; AWS environment testing; Azure environment testing; Black Box network-authentication assessment; social engineering engagement, which evaluated tier 1 and 2 support desk user access; and Air Force portal testing of applications already hosted inside the environment.

Zero-trust networking, the practice of automatically denying access except for approved requests, wasn't tested during this assessment because the goal was to figure out how much users with Tier 1 or 2 support desk permissions could access.

While it's unclear when the next bug bounty hunt will happen, the hope is that more shareholders take advantage of the full-source analysis program where it fits. "The more we run these bounties and stakeholders see the benefit, the more folks come to us," said Clair Koroma,a Defense Digital Service expert with the title of bureaucracy hacker.

The Air Force plans "on using this as much as possible, a tool among many tools for finding risks inside the systems," said Alex Romero another DDS bureaucracy hacker. "When we have hard problems," he said, "this is a great way to test vulnerabilities and determine the risk left over."