During nine hours of hacking Dec. 9 at a previously unannounced Hack the Air Force event in New York City, 25 civilian hackers from seven countries, along with seven airmen, uncovered 55 vulnerabilities.
All told, the Air Force doled out $26,883 for the loopholes discovered.
Six members of the Defense Media Activity supported remediation on-site during the second wave of the service’s bug bounty program, aimed at better protecting the service’s networks, according to a blog post from HackerOne, a bug bounty company partnering with DoD on its various bug bounty efforts.
Hack the Air Force allows pre-approved “ethical” hackers to penetrate certain portions of military websites in search of vulnerabilities for potential cash payouts.
In one instance, a hacker reported a vulnerability in an Air Force website that was used to pivot onto DoD’s unclassified network. Under the supervision of DoD personnel, the hacker was authorized to keep digging to see how far he could go, according to HackerOne.
“We wouldn’t have found this without you,” DMA Public Web Chief of Operations James Garrett, told the hackers.
At the conclusion of the Dec. 9 event, DoD leaders announced that Hack the Air Force 2.0 will continue through Jan. 1, and will be open to citizens from the United States, Australia, Canada, New Zealand, United Kingdom and citizens from NATO countries. U.S. service members are also eligible to participate but are not eligible for bounties.
The first event was described as the most successful bug bounty program to date, opening up participation to international hackers for the first time. The Army and Defense Department have run similar events.
DoD has resolved over 3,000 vulnerabilities from public-facing websites through its various bug bounty programs over the past year, HackerOne said. As a result, hackers have been paid more than $300,000 in bounties.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.