AIR FORCE NEWS
Air Force Fixes Bugs Following Hacker Challenge
The Air Force was able to identify more than 460 security vulnerabilities in its virtual data center with the help of a bug bounty facilitator company.
Bug bounty programs have become a tool for the Defense Department to gain more insight about its cyber vulnerabilities.
HackerOne announced in April the results of its “Hack the Air Force 4.0” challenge, where more than 60 hackers from 21 countries participated in a four-week long challenge to seek and disclose vulnerabilities within the Air Force Virtual Data Center.
The data center is “a pool of cloud-based servers and systems,” according to HackerOne, a San Francisco-based company.
The challenge began with an opportunity for participants to assess Air Force assets. At the end of the assessment period, a live hacking event took place, said Antoine Williams-Baisy, technical program manager II at the company.
“Hackers fly in, the customers fly in, and they all hack in the same place at once,” Williams-Baisy said. “The hackers form a bunch of teams and they all sort of compete for this bounty pool that’s available — a set of awards that, based on their submission, can allow them to gain financial bounties.”
Multiple teams from the Air Force attended the November event, which took place in Los Angeles, Williams-Baisy said.
Having the service attend is ideal for when hackers have questions about the assets or bugs. “They can find someone on the Air Force side who has direct knowledge of that asset or the application and discuss it with them directly,” he said.
More than $290,000 in prize money was awarded during the challenge, he said.
“When hackers are assessing these applications and finding these vulnerabilities or these security issues, they write up a report and they submit it to the HackerOne team and to the Air Force team for evaluation,” Williams-Baisy said.
After submission, HackerOne and the service use a rating system that allows them to assign the report to a difficulty level. Based on that score, “we have a scale of bounty award that it could fall into, and that’s how we will utilize the score to bounty amount,” he noted.
Although the hackers had weeks to familiarize themselves with the Air Force assets and applications, the United Kingdom’s Ministry of Defence joined the live hacking event with a new asset for hackers to target, Williams-Baisy said.
“A lot of times we’ll kind of change things up on the day to make sure to keep the hackers on their toes,” he said.