106 Security Flaws Identified in Operationally Significant DoD Websites under US Air Force’s Bug Bounty Challenge.
A team of white hat hackers working with HackerOne, a vulnerability coordination and bug bounty platform hosted a bug bounty event in collaboration with the US Air Force to identify bugs and security vulnerabilities in Air Force systems.
This live-hacking event, dubbed as the Hack the Air Force bounty bug challenge 2.0, was the second installment of last year’s bug bounty challenge introduced by the US Air Force (USAF). The first bug bounty challenge was held from 30th May to 2017-23rd June 2017 and around 207 valid security flaws were identified while the event was attended by participants from the US only.
At Hack the Air Force 2.0 event, hackers managed to identify 106 valid vulnerabilities in the cyber-security systems of the US Air Force. The department paid $103,883 to successful hackers, which is somewhat lower than what was paid by the Air Force last year, which accumulated to a total of $133,400.
This time the event went global as hackers from 26 countries including UK, Canada, USA, Netherlands, Sweden, Latvia, and Belgium were invited to participate in the event and look for security flaws in the USAF systems and also to fix them. The purpose of the initiation of this program is to improve the security of USAF’s public-facing digital assets.
According to a HackerOne spokesperson, all the identified vulnerabilities are completely new and have never surfaced before. The event started on 9 December 2017 where 24 hackers collaborated with DoD (department of defense) and USAF personnel and around 55 flaws were detected in 9 hours. The event was 20 days long and operated by HackerOne; according to co-founder and CTO of HackerOne, Alex Rice, this is the very first time his firm has worked with Defense personnel “on site” in a live-hacking event.
“We have done the bug bounty programs remotely in the past, which is common and this was the first one to start off with a live event,” Rice told eWeek.
The identified flaws affected over 300 public websites (which were deemed operationally significant by DoD and belonged to the USAF). 55 of these flaws were noticed in December on the very first day while the others were detected later on. The event was held in New York.
Hack the Air Force 2.0 is part of a bigger project from the DoD called Hack the Pentagon program, which was introduced in 2016. It is indeed quite an expensive program but comparing to Google that spent $112,500 to a lone hacker in 2017 for identifying a single vulnerability the sum spent by DoD is not an extravagant amount.
According to DoD, over 3,000 security flaws have been fixed under the federal bug disclosure initiative that started in 2016 as Hack the Pentagon and until now the government has spent over $233,000 in rewards. The results of Hack the Air Force 2.0 were disclosed on February 15th. The highest reward of $12,500 was issued for identification of an exploit chain in USAF’s website through which two security researchers managed to access the DoD’s unclassified network.