By Liam Tung
June 9, 2017
The US Air Force has launched its first bug bounty, and is inviting not just US citizens, but hackers from any of the Five-Eyes nations.
The US Air Force bounty extends the Department of Defense's earlier Hack the Pentagon program, and is the first time a Defense organisation has opened a bounty to non-US residents. The program, which kicks off in late May, is also open to all citizens from Five-Eyes partner countries, including the UK, Canada, Australia, and New Zealand.
The Air Force hopes that relaxing the rules on who can participate will give it access to a wider pool of talent and ultimately better defenses at a time when many organisations are struggling with cybersecurity skills shortages.
"This outside approach--drawing on the talent and expertise of our citizens and partner-nation citizens--in identifying our security vulnerabilities will help bolster our cybersecurity," said Air Force Chief of Staff Gen. David L. Goldfein.
"We already aggressively conduct exercises and 'red team' our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team," he added.
Peter Kim, the Air Force Chief Information Security Officer, said the broader participation should improve the diversity of experience in the program.
"It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture," he said.
As with previous DoD bounties, such as Hack the Army, the program is being hosted by bug bounty provider, HackerOne. The DoD last year awarded it and Synack a deal to operate a "new contract vehicle" for other DoD units to run their own crowdsourced security programs.
The original Hack the Pentagon pilot attracted 1,400 hackers and resulted in 138 zero-day flaws being identified. Researchers were rewarded $75,000.
Hack the Army program, while still hailed a success, had just 371 participants. Still, participants identified 118 "unique and actionable" reports, netting them payments in excess of $100,000. Hackers were vetted and then invited to participate in what was billed as the "most ambitious" Defense bounty because of the targets in scope.
Hack the Air Force is being called the "largest DoD bug bounty challenge ever" due to broader eligibility. Rules for non-US citizens have not been revealed yet, though past bounties have required candidates agree to a background criminal check.
The bounty initiative in DoD has been headed up by the Defense Digital Services (DDS) team, which helped launch the Air Force Digital Service team in January.
"The whole idea of 'security through obscurity' is completely backwards. We need to understand where our weaknesses are in order to fix them, and there is no better way than to open it up to the global hacker community," said Chris Lynch of the DDS.
Five-Eyes hackers will need to register at HackerOne from May 15 to participate in the bounty, which runs between May 30 and June 23.