Air Force Fixes Bugs Following Hacker Challenge

AIR FORCE NEWS

Air Force Fixes Bugs Following Hacker Challenge

6/4/2020
By Mandy Mayfield

HackerOne photo

The Air Force was able to identify more than 460 security vulnerabilities in its virtual data center with the help of a bug bounty facilitator company.

Bug bounty programs have become a tool for the Defense Department to gain more insight about its cyber vulnerabilities.

HackerOne announced in April the results of its “Hack the Air Force 4.0” challenge, where more than 60 hackers from 21 countries participated in a four-week long challenge to seek and disclose vulnerabilities within the Air Force Virtual Data Center.

The data center is “a pool of cloud-based servers and systems,” according to HackerOne, a San Francisco-based company.

The challenge began with an opportunity for participants to assess Air Force assets. At the end of the assessment period, a live hacking event took place, said Antoine Williams-Baisy, technical program manager II at the company.

“Hackers fly in, the customers fly in, and they all hack in the same place at once,” Williams-Baisy said. “The hackers form a bunch of teams and they all sort of compete for this bounty pool that’s available — a set of awards that, based on their submission, can allow them to gain financial bounties.”

Multiple teams from the Air Force attended the November event, which took place in Los Angeles, Williams-Baisy said.

Having the service attend is ideal for when hackers have questions about the assets or bugs. “They can find someone on the Air Force side who has direct knowledge of that asset or the application and discuss it with them directly,” he said.

More than $290,000 in prize money was awarded during the challenge, he said.

“When hackers are assessing these applications and finding these vulnerabilities or these security issues, they write up a report and they submit it to the HackerOne team and to the Air Force team for evaluation,” Williams-Baisy said.

After submission, HackerOne and the service use a rating system that allows them to assign the report to a difficulty level. Based on that score, “we have a scale of bounty award that it could fall into, and that’s how we will utilize the score to bounty amount,” he noted.

Although the hackers had weeks to familiarize themselves with the Air Force assets and applications, the United Kingdom’s Ministry of Defence joined the live hacking event with a new asset for hackers to target, Williams-Baisy said.

“A lot of times we’ll kind of change things up on the day to make sure to keep the hackers on their toes,” he said.

Topics: Cybersecurity, Cyber

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES