HackerOne, announced the results of its latest federal bug bounty program for the U.S. Air Force.
The program, Hack the Air Force, was the most successful federal bug bounty program to-date, resulting in 207 valid vulnerabilities disclosed and more than $130,000 in bounties awarded to white-hat hackers.
This was the most expansive federal bug bounty program to date and the first time any federal bug bounty challenge has been open to international hackers, welcoming participants from the United Kingdom, Canada, Australia and New Zealand in addition to the United States.
Hack the Air Force was HackerOne’s third partnership with the Department of Defense (DoD), following the Hack the Pentagon and Hack the Army bug bounty challenges.
The Hack the Air Force challenge ran for 24-days from May 30, 2017 through June 23, 2017.
(Learn More. Hackers, do you have what it takes to hack the U.S. Air Force? Courtesy of HackerOne and YouTube)
It engaged 272 vetted hackers to scour its public-facing IT domains for security vulnerabilities, awarding financial incentives between $100 and $5,000 per valid vulnerability reported.
Two participants in the program were active duty military personnel and 33 participants came from outside the United States.
Top participating hackers were under 20 years old, including a 17-year-old who submitted 30 valid reports and earned the largest bounty sum during the duration of the challenge.
(The U.S. Air Force invited hackers to find vulnerabilities in the Air Force’s computer systems—and pays cash prizes to those who succeed. Courtesy of United News International and YouTube)
“Every organization needs to identify and fix their software vulnerabilities. The most effective way is to ask the external world for help,” said Marten Mickos, CEO of HackerOne.
“We’ve seen new levels of success with every federal bug bounty challenge and Hack the Air Force is no exception.”
“Activating the global hacker community to shore up their digital defenses is enabling faster progress than ever before.”
The diverse pool of Hack the Air Force participants contributed to the program’s success and unprecedented results.
With 207 valid vulnerabilities disclosed, Hack the Air Force was the DoD’s most successful bug bounty program to date.
The first vulnerability was reported in less than one minute. Within the first 24 hours, 23 valid reports were submitted.
The first federal bug bounty program, Hack the Pentagon, resulted in 138 valid vulnerability reports and the second program, Hack the Army, culminated in 118 valid reports.
“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion — and in this case, hundreds of second opinions — on the health and security of our online infrastructure,” said Peter Kim, U.S. Air Force Chief Information Security Officer.
“By engaging a global army of security researchers, we’re better able to assess our vulnerabilities and protect the Air Force’s efforts in the skies, on the ground and online.”
While the Hack the Air Force challenge is now closed, any hackers who become aware of vulnerabilities can disclose them to the DoD through its ongoing vulnerability disclosure program on HackerOne.
More than 850 organizations, including the U.S. Department of Defense, U.S. General Service Administration, General Motors, Twitter, GitHub, Nintendo, Panasonic Avionics, Qualcomm, Square, Starbucks, Dropbox and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them.
HackerOne customers have resolved over 50,000 vulnerabilities and awarded more than $19M in bug bounties.