Hack the Air Force results released

  • Published
  • By Senior Airman Rusty Frank
  • Secretary of the Air Force Public Affairs
The results are in for Hack the Air Force, the “white-hat hacker” bug bounty program designed to better secure Air Force online assets that ran May 30-June 23, 2017.

Bug bounty programs are an industry standard practice that helps better secure an organization’s internet presence. These programs crowd source sanctioned hackers to identify vulnerabilities within systems, which then allows the organization to quickly remedy those vulnerabilities.  

“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion — and in this case, hundreds of second opinions — on the health and security of our online infrastructure,” said Peter Kim, the Air Force Chief Information Security Officer. “By engaging a global army of security researchers, we’re better able to assess our vulnerabilities and protect the Air Force’s efforts in the skies, on the ground and online.”

More than 270 registered and vetted information security specialists from across the U.S., United Kingdom, Canada, Australia and New Zealand discovered 207 valid vulnerabilities during the contest. Participants earned more than $130,000 in bounties. 

Two participants in the program were active duty military personnel and 33 participants came from outside the U.S. Top participating hackers were under 20 years old, including a 17-year-old who submitted 30 valid reports and earned the largest bounty sum during the challenge window.

HTAF was the most expansive federal bug bounty program to date, and the first time any federal bug bounty challenge has been open to international hackers. It built upon the success of previous Department of Defense hacking events, Hack the Pentagon and Hack the Army. 

 “The ideal end-state is that bug bounties become a regular, common tool in securing all IT assets across the Department of Defense,” said Hunter Price, the Air Force Digital Service lead. “We will always have security vulnerabilities. We can approach that reality of one two ways: we can deny it, or we can be proactive, open to it and use every tool in our toolbox to remediate or mitigate them.”