For 24 days, hackers pounded the Air Force’s key public websites hunting down security vulnerabilities. The result? A total of 207 valid vulnerabilities were found and the hackers took home more than $130,000 in bug bounty awards. These 272 vetted hackers from the White Hat community were participating in the ‘Hack the Air Force’ bug bounty program commissioned by the Air Force.
The newest and most successful federal program followed earlier successes with the Department of Defense (DOD) programs – ‘Hack the Pentagon’ and ‘Hack the Army’ programs which yielded a total of more than 250 vulnerabilities.
‘Hack the Air Force’ was fast and furious
What’s uniquely different was the expansiveness of the program as international hackers from the United Kingdom, Canada, Australia and New Zealand were permitted to participate. Previously, participation was limited to the United States.
Notwithstanding the expertise demonstrated by these hackers, they were fast. So fast in fact, less than one minute after the opening bell, the first vulnerability report was submitted. And within the first 24 hours, the hackers sent in another 22 reports. In such challenges, speed is often the deciding factor for who gets the award, you get nothing coming in second.
To put to rest any doubt that using a large diverse group yields better results when hunting for vulnerabilities, the top performing hackers were all under 20 years old. The top earner for ‘Hack the Air Force’ was a 17-year old hacker who found 30 vulnerabilities.
Get a second opinion with a bug bounty program
In the press release, Peter Kim, U.S. Air Force Chief Information Security Officer touted the success of the ‘Hack the Air Force’ program and said, “Adversaries are constantly attempting to attack our websites, so we welcome a second opinion — and in this case, hundreds of second opinions — on the health and security of our online infrastructure. By engaging a global army of security researchers, we’re better able to assess our vulnerabilities and protect the Air Force’s efforts in the skies, on the ground and online.”
Once again, the efficacy of engaging the White Hat community in an organization’s vulnerability discovery programs has been irrefutably demonstrated. Every organization should start questioning their return on spend for the more ‘traditional approach’ towards vulnerability assessments.