More than 200 vulnerabilities were found in the US Air Force’s “Hack the Air Force” bug bounty program, during which close to 300 researchers and hackers identified and submitted weaknesses present in platforms used by the service.
Considered the most successful bug bounty program to date, the effort went off with assistance from HackerOne, a security platform that links cybersecurity researchers and businesses.
More than $130,000 in rewards was given out to participants who found and disclosed security vulnerabilities in the Air Force’s public-facing systems that could be exploited.
Hack the Air Force drew a vetted field of 600 "white hat" hackers – people who engage in hacking only for the sake of security and penetration testing – with prizes ranging from $100 to $5,000 for each vulnerability reported.
Such programs have become a standard industry practice that help makes an organization’s internet presence more secure
Many of the participants who earned the most money were under the age of 20, according to HackerOne. The top earner, who submitted 30 valid reports, was only 17 years old, according to International Business Times.
The young hacker, known as Jack Cable, told Marketplace that he decided to be a white hat, "because it's really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it."
During the 24 days of the program, between May 30 and June 23, 207 vulnerabilities were found in total, with the first report coming in less than a minute after the event began.
With hackers hailing from New Zealand, Australia, Canada and the UK along with the US, this program marked the first time a federal bug bounty program allowed foreigners to participate.
This is the US Department of Defense’s third bug bounty program, with Hack the Pentagon being first, and Hack the Army coming second. There were 138 vulnerability reports in Hack the Pentagon and 118 in Hack the Army.
HackerOne CEO Marten Mickos said in a statement, "Every organization needs to identify and fix their software vulnerabilities. The most effective way is to ask the external world for help," adding that "We’ve seen news levels of success with every federal bug bounty challenge and Hack the Air Force is no exception. Activating the global hacker community to shore up their digital defenses is enabling faster progress than ever before."
Hack the Air Force was launched months after the service suffered a data leak exposing thousands of sensitive documents including personal information for celebrities and more than 4,000 officials.
US Air Force Chief Information Security Officer Peter Kim said, "Adversaries are constantly attempting to attack our websites, so we welcome a second opinion — and in this case, hundreds of second opinions — on the health and security of our online infrastructure," and that "by engaging a global army of security researchers, we’re better able to assess our vulnerabilities and protect the Air Force’s efforts in the skies, on the ground and online."