Military Bug Bounties Expand, Air Force Issues Record Prize

Military Bug Bounties Expand, Air Force Issues Record Prize

The Defense Department held its fourth bug bounty program earlier this month to find vulnerabilities in the Air Force’s network, leading to the largest single payout in a government bug bounty yet.

Twenty-five hackers from around the world joined cyber specialists from DOD earlier this month at the WeWork Fulton Center inside the Fulton Center subway station in New York City. They gathered to find as many vulnerabilities in Air Force software as possible.

The teams spent nine hours hacking and reported 55 vulnerabilities at the event called “H1-212.” The Air Force paid out a total of $26,883 in bounties during the event.

-- Sign up for our weekly newsletter to receive the latest analysis and insights on emerging federal technologies and IT modernization.

A pair of security researchers, Brett Buerhaus and Mathias Karlsson, uncovered a vulnerability on an Air Force website that allowed them to gain access to DOD’s unclassified network, rewarding them with a $10,650 bounty — the biggest single reward by any government bug bounty program to-date, according to HackerOne.

But this isn’t a first for DOD.

The first government bug bounty program was Hack the Pentagon in 2016, which was followed by Hack the Army and the first Hack the Air Force. Each one was overseen by the Defense Digital Service. It’s grown into an ongoing vulnerability disclosure program for DOD to find vulnerabilities in public-facing government entities.

The event at the Fulton Center served as the kickoff for Hack the Air Force 2.0 — a larger challenge that will continue through Jan. 1. This next iteration is open to citizens of even more countries, making it the largest government bug bounty program yet. Its success has prompted the Air Force to open up approximately 300 of its public facing websites, according to Air Force Chief Information Security Officer Peter Kim.

Since Hack the Pentagon, DOD has resolved more than 3,000 vulnerabilities in public-facing systems with bug bounty challenges and the VDP. In total, hackers have earned more than $300,000 in bounties for their contributions, saving DOD millions of dollars, HackerOne reported.

Bug bounty programs and cash rewards are more prevalent in the tech industry where they are common strategies when corporations introduce new products or applications. Compared to corporate bug bounty payouts and processes, DOD is just getting its feet wet.

HackerOne has an exhaustive list of industry bug bounty programs that includes technology giants such as Android, Samsung Mobile, YouTube, Google, Microsoft, Tesla, Starbucks and Uber.

Microsoft, for example, has active ongoing programs with bounties that range from $5,000 to $250,000. Officials have found the cash payouts save the companies money rather by preventing severe vulnerabilities from being exposed.

Google launched a Vulnerability Rewards Program in 2010 to find flaws in nearly all of its software and services. Last year, Google rewarded a total of $3 million in bounties, a third of the total it has issued since the program started, Tech Crunch reported.

Participation between DOD and industry bug bounty programs are different. In contrast to the military’s in-person kickoff bug bounty events, industry programs are typically done virtually, and any researchers adhering to the guidelines can send a report of their findings.

The military vets computer security specialists from across the U.S. and partner nations to do their hacking. For Hack the Air Force 2.0, if registrants meet eligibility requirements, up to 600 applicants will be invited to participate.

Microsoft, on the other hand, asks any researcher submitting a report for a bounty to do so with instructions to reproduce the vulnerability via email, where it’ll then be considered.

But not all industry programs are so different. Apple held an invite-only bug bounty program in 2016 with a maximum payout of $200,000, and Uber’s bug bounty program has a maximum payout of $10,000.

When the military first introduced the bug bounties, many inside the Pentagon questioned if any hackers would take part. Instead, the first program exceeded all expectations with 250 white hat hackers issuing at least one vulnerability.

Former Defense Secretary Ash Carter announced it as a victory for the military and used it as an example for his larger initiative to engage Silicon Valley. Carter said the first bug bounty program saved DOD at least $1 million for a program that cost $150,000 to run.

Carter predicted the expansion of bug bounties last year. The recent record payout proved the former defense secretary right as he said the military needed to move away from closed systems and get more eyes on DOD systems and websites.

“The more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters," Carter said.