Hack the Air Force 3.0 pays out $130,000 for 120 vulnerabilities found

DDS and HackerOne leaders say the challenge was noteworthy for its inclusivity and for the types of assets security researchers were invited to test.
At Hack the Air Force 2.0, a live event. (HackerOne)

The Department of Defense’s Defense Digital Service and collaborative security platform HackerOne together announced the results Thursday of a recent Air Force-focused bug bounty — all in all, 120 vulnerabilities were found in the monthlong challenge, for which white-hat hackers were awarded a total of $130,000.

Hack the Air Force 3.0, so named because it’s the third time the Air Force has run a bug bounty program, kicked off Oct. 19 and ran through Nov. 22, during which around 30 hackers participated. DDS and HackerOne leaders say the challenge was noteworthy for its inclusivity and for the types of assets security researchers were invited to test.

It was the “most inclusive” bug bounty run by the military thus far, meaning that interested participants from a total of 191 countries (basically anywhere except China, Russia, Iran or North Korea) were allowed to participate, pending security vetting by HackerOne, of course.

This widening of the net is important because it allows the Air Force to leverage “extremely gifted” people who may hail from “nontraditional” countries, Capt. James “JT” Thomas of the Air Force Digital Service told FedScoop in a recent interview.


“By opening up these types of challenges to more countries and individuals, we get a wide range of talent and experience we would normally not have access to in order to harden our networks,” he added in a statement.

Edition 3.0 was also “unique” because of the kind of assets the Air Force invited security professionals to test, namely personnel-focused sites from Air Force A1 and the Air Force Personnel Operations Agency in San Antonio, Texas.

“Not all of these were static, information-only sites,” Thomas told FedScoop. “Some of these were definitely more dynamic and more accessed by a larger array of Air Force personnel.” This included, for example, a tool that allows airmen to look for mentors outside of their specific office or command. It also allows airmen to search for job openings.

It’s “a little more interactive,” Thomas said. “Conducting a security audit, you know, a bug bounty program, on an application as dynamic as that really I think set this challenge apart.”

“I’d say it’s the biggest impact one to date,” Thomas said.


Led by DDS, the DOD has been super active in the bug bounty space since launching its first challenge, Hack the Pentagon, in 2016. Since then the agency has run a bunch of other bounties — Hack the Army, Hack the Air Force, Hack the Air Force 2.0, Hack the Defense Travel System and Hack the Marine Corps.

Latest Podcasts