Air Force opens itself up to hacking, again

It's the "most inclusive" bug bounty program to date, meaning that foreign nationals — except those from China, Russia, Iran or North Korea — are welcome to participate.
Staff Sgt. Alek Albrecht participates in a Network War Bridge Course at the 39th Information Operations Squadron Sept. 19, 2014, Hurlburt Field, Fla. Albrecht is practicing to hack into a simulated network to better understand what techniques real hackers may use when attempting to infiltrate Air Force networks. Air Force Space Command provides trained and ready cyber forces to the warfighter through 24th Air Force. Albrecht is a Air Force Network Operations and Security Center enterprise network technician. (U.S. Air Force photo/Airman 1st Class Krystal Ardrey)

The Air Force announced Monday that it has invited hackers from 191 countries to try to find vulnerabilities in systems it recently migrated to the cloud.

Yes — it’s Hack the Air Force round three. And it’s the “most inclusive” edition to date, meaning that foreign nationals — except those from China, Russia, Iran or North Korea — are welcome to participate.

This third round of the program, run in partnership with the Defense Digital Service and bug bounty platform HackerOne, will run until Nov. 22. The minimum payout for a critical vulnerability is $5,000, but that could be increased if the vulnerability is particularly integral to a system.

For example, during the kickoff event for Hack the Air Force 2.0 in December 2017, white hat hackers Brett Buerhaus and Mathias Karlsson earned $10,650 for discovering and disclosing a vulnerability that let the duo access the Defense Department’s unclassified internal network. It remains the largest single payout in the network of Hack the Pentagon challenges, HackerOne says.


“Hack the AF 3.0 demonstrates the Air Force’s willingness to fix vulnerabilities that present critical risks to the network,” Wanda Jones-Heath, Air Force chief information security officer, said in a statement.

The Air Force isn’t the only service taking advantage of crowdsourced cybersecurity possibilities — since the initial launch of Hack the Pentagon in 2016, HackerOne has run a number of programs for DOD, including Hack the Army, Hack the Air ForceHack the DTS, Hack the Air Force 2, and Hack the Marine Corps. The Pentagon recently extended its contract with HackerOne and other bug bounty services.  

Nor is this phenomenon limited to defense — the General Services Administration, the first civilian agency to run a bug bounty program, is also getting in on the action. The agency recently awarded a $2 million contract to HackerOne for the facilitation of bug bounty programs over the next few years.

The Air Force is distinct, however, in the sheer number of bounties it has organized. “The U.S. Air Force is the only military organization in the world to tap the hacker community for cybersecurity help three times,” Marten Mickos, CEO of HackerOne, said in a statement. “Their relentless dedication to uncovering vulnerabilities before their adversaries through innovative measures remains unmatched.”

Latest Podcasts