The US Air Force's third bug bounty program has concluded after a month-long hacking period, which ran from October 19 to November 22, 2018. As a result of their research findings, hackers were awarded more than $130,000 in bounties.
According to the official results of Hack the Air Force 3.0 (HTAF 3.0), released by the U.S. Department of Defense (DoD) and HackerOne, the Air Force fixed over 120 valid security vulnerabilities, bringing the combined total of the three bug bounty challenges to more than 430 unique security vulnerabilities discovered and fixed. In total, researchers have earned more than $350,000 through the HTAF programs.
“It’s critical to allow these researchers to uncover vulnerabilities in Air Force websites and systems, which ultimately strengthens our cybersecurity posture and decreases our vulnerability surface area,” said Capt. James “JT” Thomas, Air Force digital services.
“By opening up these types of challenges to more countries and individuals, we get a wider range of talent and experience we would normally not have access to in order to harden out networks.”
HackerOne CEO Marten Mickos applauded the continued efforts of the US Air Force, noting in a press release that it is “the only military organization in the world to leverage the crowdsourced security model three times. Their relentless dedication to uncovering vulnerabilities before their adversaries through innovative measures remains unmatched. We’re honored to do our part in protecting government systems, employees and U.S. citizens.”
In related news, the UK government has announced that it will also be leveraging the crowdsourced security model available through HackerOne. The National Cyber Security Centre (NCSC), part of GCHQ, announced that it will launch a vulnerability disclosure program.
The NCSC vulnerability coordination pilot has been a project in the making for the past two years, during which time the NCSC has come to understand that “having a mature and coordinated vulnerability disclosure process helps decrease the risk of an incident occurring.”