Cyber Airmen from the 24th Air Force at Joint Base San Antonio-Lackland, Texas. // U.S. Air Force

Cyber Airmen from the 24th Air Force at Joint Base San Antonio-Lackland, Texas. // U.S. Air Force United States Air Force

17-Year-Old Hacks US Air Force For The Biggest Bug Bounty

The Defense Department’s third vulnerability-finding contest invited international participants to attack USAF websites. They found the most bugs yet.

Foreign and domestic hackers probed hundreds of security holes in critical Air Force networks for weeks in late spring, and the Pentagon knew all about it. But instead of getting punished, the hackers got paid.

The Defense Department’s third and most successful bug bounty program, Hack the Air Force, uncovered a record 207 vulnerabilities in the branch’s major online systems. The department’s previous initiatives, Hack the Pentagon and Hack the Army, found 138 and 118 security gaps, respectively.

Unlike previous bug bounty programs that were open only to Americans, Hack the Air Force invited hackers from four countries outside the U.S. to participate: Australia, Canada, New Zealand and the United Kingdom.

Though inviting foreigners to hack military networks may sound unsafe, Air Force Chief Information Security Officer Peter Kim says the DOD frequently works with partner nations on initiatives to boost cybersecurity.

"We get a diversity of efforts that will make sure we have looked at our security from every angle," Kim told Nextgov. "By allowing the good guys to help us, we can better level the playing field and get ahead of the problem instead of just playing defense."

Bug bounties recruit ethical or white-hat hackers to find security holes within an organization’s computer networks. Vulnerabilities can range from low-risk flaws to major gaffes capable of corrupting the entire network or exposing sensitive information. When a hacker finds one, she reports it to the group and usually receives compensation based on the severity of the bug.

Many corporations use the initiatives to protect themselves against malicious black-hat hackers, who look to exploit holes in security or to sell exploitable vulnerabilities to cyber crime organizations. The cybersecurity platform HackerOne organized all three of DOD’s bug bounties, and last year signed a contract to run similar programs for the department in the future.

“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion—and in this case, hundreds of second opinions—on the health and security of our online infrastructure,” Kim said in a statement.

The program ran from May 30 to June 23 and drew 272 security researchers to 13 of the branch’s public-facing sites. Hackers reported the first vulnerability less than a minute after the program launched. Of the 207 security holes they found, nine were classified as either critical or high severity.

Payouts ranged from $100 to $5,000 per bug, and hackers received more than $130,000 in rewards. The top earner was a 17-year-old, who alone submitted 30 valid vulnerabilities.

Bug bounties went mainstream in 2010 after Google launched its vulnerability rewards program, though the concept dates back decades earlier. Tech companies like Google have armies of staff engineers that test their systems, but even those armies can’t root out all the exploitable vulnerabilities in the company’s millions of lines of software code.

Structured programs like Hack the Air Force have helped legitimize the practice in recent years, but white-hat hackers have historically occupied a legal gray area.

In the U.S., security researchers frequently find themselves at odds with the Computer Fraud and Abuse Act, a 1986 law that criminalizes unauthorized access to computers and networks. Under the legislation, companies can swamp hackers in lawsuits for uncovering flaws in their systems, even if the person revealed the bug to the organization.

The law has come under sharp criticism, particularly after the suicide of internet activist Aaron Swartz, who was prosecuted under the law for writing a computer program that downloaded mass articles from the online library JSTOR using a Massachusetts Institute of Technology log in.

HackerOne lays out the rules for bug bounty participants, but the company’s Chief Executive Officer Marten Mickos said it’s incorrect stereotypes that give hackers a bad rap. Some people have bad intentions, he said, but the effectiveness of his company shows they’re in the minority.

“We bring all the good guys together, and when we have all of them it far outnumbers the bad guys,” said Mickos. “That’s why this business model works.”

The government has already contracted HackerOne to run a bug bounty at the General Services Administration, and programs at military bases.The Homeland Security Department may not be far off. But Mickos sees enormous potential for his self-described “talent agency” for the world’s best hackers in both the public and private spheres.

As a former senior vice president of Hewlett-Packard and CEO of multiple technology companies, he has seen security fail to keep up with the rapid progression of software. Bug bounty programs can offer developers a way to constantly test their products’ security.

Bug bounties bring fresh eyes to firms that may fail to recognize their own security flaws, Mickos said. By looking at the software from the same angle as potential criminals, participants can point out the vulnerabilities they will most likely exploit.

“In the past, people looked for security inside, in small groups and in secrecy,” Mickos said. “Now we are showing that, to be the most secure, you have to invite the external world to help you.”