Hack the Air Force 2.0 invites 26 countries to participate, reports 106 vulnerabilities

SAN FRANCISCO. Officials at HackerOne released the results of the second Hack the Air Force bug bounty challenge. Hack the Air Force 2.0 is part of the Department of Defense’s (DoD) Hack the Pentagon crowd-sourced security initiative. Twenty-seven trusted hackers participated in the Hack the Air Force bug bounty challenge — reporting 106 valid vulnerabilities and earning $103,883.

2.0 invited trusted hackers from all over the world to participate in its second challenge in less than a year. The 20-day bug bounty challenge was the most inclusive government program to-date, with 26 countries invited to participate. Hackers from the U.S., Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia, participated in the challenge. The Air Force awarded hackers the highest single bounty award of any Federal program to-date, $12,500.

On December 9, the first day of the challenge, 24 hackers met in New York City and participated in a live hacking event, the first ever including federal government participation. DoD and US Air Force personnel were on-site and worked alongside the hackers to simultaneously report security flaws and remediate them in real-time. Together, they collaborated to find 55 of the 106 total vulnerabilities in nine hours during this one-day event.

“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” says Air Force CISO Peter Kim. “This reinforces the work the Air Force is already doing to strengthen defenses and has created meaningful relationships with skilled researchers that will last for years to come.”

Since the program kicked off in 2016, over 3,000 vulnerabilities have been resolved in government systems. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hacker earned more than $130,000 for their contributions. At the time, it was the highest total and single rewards of any public government program. Hack the Army in December 2016 surfaced 118 valid vulnerabilities and paid $100,000, and Hack the Pentagon in May 2016 resulted in 138 valid vulnerabilities resolved and tens of thousands paid to ethical hackers for their efforts. Hack the Air Force 2.0 demonstrates continued momentum of the Hack the Pentagon program beyond just its first year, as well as a hardened attack surface.