Bug bounty finds 54 flaws in Air Force’s new cloud system

“White hat” hackers found 54 vulnerabilities in the Air Force’s enterprisewide cloud environment during a recent bug bounty.

The bug bounty took place in spring, but notice of its results was announced Tuesday by Bugcrowd, the third-party firm that ran the bounty. The event, with around 50 private, pre-screened hackers looking for bugs, was a way for the Air Force to test the resilience of its relatively new Common Computing Environment cloud architecture as it continues to migrate data to the platform.

The Common Computing Environment started to go live in March 2018. By April of this year, the cloud had 21 applications running on the system and room for “countless more,” according to an Air Force news release.

The CCE was developed to replace the Global Combat Support System, a legacy logistics system running on-site at bases across the country. The new cloud is run on Amazon Web Service’s and Microsoft’s Azure’s commercial cloud infrastructures.

“Some apps are built with characteristics that make them a better fit for one cloud service or another,” 2nd Lt. Stephen Cunningham, a systems engineer on the CCE project, said in the April release.

It was the first hackathon the Air Force has contracted to Bugcrowd, which describes itself as a crowdsource cybersecurity platform. The service has hosted previous events to find holes in its networks and computer systems, but this is the first specific to CCE. The Air Force has worked with HackerOne and Synack on its past bug bounties.

The largest payout from the bug bounty totaled $20,000.