White hat hackers Frans Rosen and Mathias Karlsson collaborate with USAF cyber warriors Dec. 9, 2017, during the live-hacking, kickoff event for Hack the Air Force 2.0. Photo courtesy of HackerOne.
The Air Force has shelled out the highest single bounty award in the history of federal bug bounty programs: $12,500.
The award went to a vetted, white hat hacker who submitted a vulnerability during Hack the Air Force 2.0. The 20-day bug bounty ran in December 2017. It’s part of DOD’s collaboration with HackerOne, a security platform that also ran Hack the Pentagon, Hack the Army, and notably Hack the Air Force 1.0. Hackers submitted 106 valid reports in total, for which USAF paid a total of $103,883 in bounties.
HackerOne told Air Force Magazine the record-breaking bug would’ve allowed a “malicious attacker” to run harmful code on an Air Force network and manipulate other data within it. While that’s the only detail HackerOne provided, it aligns with what USAF considers a Category One cyber threat to the service. That category is reserved for an adversary who’s able to achieve unauthorized, privileged access to a USAF network, capable of changing things within or transmitting its data to an outside network.
"To HackerOne, the bounty shows that a critical vulnerability can still be found in one of the most secure systems in the world," Alex Rice, HackerOne's chief technology officer, told Air Force Magazine. "It’s exciting to see the Air Force value the contribution of this hacker."
USAF confirmed the type of vulnerability reported in an email to Air Force Magazine, adding it couldn't elaborate "due to operational security." Topping the list of egregious cyber attacks, such a threat could make it “the absolute worst-case scenario from a defensive operations perspective,” Capt. Anthony Rodriguez, the 33rd Network Warfare Squadron’s director of operations, told Air Force Magazine in a 2017 interview.
Unique to this hackathon sequel was a kickoff, live event in New York City on Dec. 9, 2017. During that, hackers Brett Buerhaus and Mathias Karlsson earned $10,650 for reporting a single vulnerability, then the single top bounty of its kind. USAF is the first federal agency to run such a live event. Rice said the service's red team's willingness to collaborate with the hackers had a notable impact on the success of the program. He also commended the Air Force's on-site, remediation teams, which he found to respond faster than "typical Fortune 500s that HackerOne works with."
"Part of this was due to the real-time, in-person interaction at the live-hacking event," said Rice, who came to HackerOne from Facebook, where he was the director of product safety. "The execution excellence demonstrated by the Air Force remediation team could easily serve as a model best practice for industry."
Also unique to Hack the Air Force 2.0 was the number of countries from which hackers could apply to participate. A record 26 countries were invited. However, only hackers from seven countries—US, Canada, UK, Sweden, Netherlands, Belgium, and Latvia—actually participated.
While HackerOne is still in talks with DOD about future hacking programs, it claims its platform and initiatives have resolved more than 3,000 vulnerabilities in government systems since 2016, when Hack the Pentagon kicked off.
"There has been a lot of interest from departments across the DOD and we are excited for the next challenge," Rice said. "At this time, it is just a matter of who is ready to execute first."
Check our Air Force Magazine's detailed breakdown of each cyber threat category in the March issue.
Daily Report: Read the day's top news on the US Air Force, airpower, and national security issues.
Tweets by @AirForceMag