The results of the Pentagon’s Hack the Air Force 2.0 bug-bounty initiative are in: White hats received $103,883 in payouts and reported 106 vulnerabilities within 20 days.
The Air Force also awarded hackers the highest single bounty of any federal program to date: $12,500.
Hack the Air Force 2.0 invited trusted hackers from all over the world to participate in its second bug bounty challenge in less than a year. The challenge was the most inclusive government program to date, with 26 countries invited to participate. Twenty-seven hackers from the US, Canada, UK, Sweden, Netherlands, Belgium and Latvia participated.
On December 9, the first day of the challenge, 24 hackers met in New York City and participated in a live hacking event, the first ever to include federal government participation. Department of Defense and Air Force personnel were on site and worked alongside the hackers to simultaneously report security flaws and remediate them in real time. Together, they collaborated to find 55 of the 106 total vulnerabilities in nine hours.
“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” said Air Force CISO Peter Kim. “This reinforces the work the Air Force is already doing to strengthen cyber-defenses and has created meaningful relationships with skilled researchers that will last for years to come.”
Hack the Air Force 2.0 is part of the US Department of Defense’s Hack the Pentagon crowd-sourced security initiative. Since the program kicked off in 2016, more than 3,000 vulnerabilities have been resolved in US federal government systems. The first Hack the Air Force bug bounty challenge (earlier in 2017) resulted in 207 valid reports, and hackers earned more than $130,000 for their contributions; until this most recent challenge, it had paid the highest single reward of any public government program. In May 2016, Hack the Pentagon resulted in 138 valid vulnerabilities resolved and tens of thousands of dollars paid to ethical hackers for their efforts; in December 2016 Hack the Army surfaced 118 valid vulnerabilities and paid out $100,000.