U.S. Air Force officials announced Wednesday the start of a new Defense Department “bug bounty” program directed at the service to find cyber vulnerabilities in public-facing websites.
This new bug bounty, dubbed “Hack the Air Force,” is part of the Cyber Secure campaign sponsored by the Air Force Chief Information Office and expands of the Defense Department’s previously “Hack the Pentagon” program. The goal is to further operationalize the domain and leverage talent from inside and outside the department, the Air Force said.
Bug bounties generally involve benign, or white hat, hackers prove a network for vulnerabilities. If they find legitimate security flaws, the participants win monetary prizes.
The Air Force highlighted this newest bug bounty broadens the participation pool from not only U.S. citizens but also white hat hackers from the United Kingdom, Canada, Australia, and New Zealand. The service is currently inviting vetted IT specialists from these nations to try to hack public Air Force websites
“This outside approach–drawing on the talent and expertise of our citizens and partner-nation citizens–in identifying our security vulnerabilities will help bolster our cybersecurity. We already aggressively conduct exercises and ‘red team’ our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team,” Air Force Chief of Staff Gen. David Goldfein, said in a statement.
Air Force Chief Information Security Officer (CISO) Peter Kim announced the program at a kick-off event at the headquarters of HackerOne, a contracted security consulting firm running the contest.
“This is the first time the AF has opened up our networks to such a broad scrutiny. We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture,” Kim said.
“The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities,” he added.
The original department-wide “Hack the Pentagon” initiative was launched last year by the Defense Digital Service as the first bug bounty used by the federal government (Defense Daily, March 21, 2016). That initial program included 1,400 eligible hackers who identified over 200 perceived vulnerabilities, with 138 found to be legitimate and unique security flaws eligible for a bounty (Defense Daily, June 17, 2016). That program paid out $75,000 to participants.
Registration for this Hack the Air Force event opens on May 15th on the HackerOne website. The program will begin on May 30th and end of June 23rd.