Cyber Airmen from the 24th Air Force at Joint Base San Antonio-Lackland, Texas. // U.S. Air Force

Cyber Airmen from the 24th Air Force at Joint Base San Antonio-Lackland, Texas. // U.S. Air Force United States Air Force

Science & Tech

17-Year-Old Hacks US Air Force For The Biggest Bug Bounty

The Defense Department’s third vulnerability-finding contest invited international participants to attack USAF websites. They found the most bugs yet.

Jack Corrigan

|
Jack Corrigan
By Jack Corrigan
Staff Correspondent

Foreign and domestic hackers probed hundreds of security holes in critical Air Force networks for weeks in late spring, and the Pentagon knew all about it. But instead of getting punished, the hackers got paid.

The Defense Department’s third and most successful bug bounty program, Hack the Air Force, uncovered a record 207 vulnerabilities in the branch’s major online systems. The department’s previous initiatives, Hack the Pentagon and Hack the Army, found 138 and 118 security gaps, respectively.

Unlike previous bug bounty programs that were open only to Americans, Hack the Air Force invited hackers from four countries outside the U.S. to participate: Australia, Canada, New Zealand and the United Kingdom.

Though inviting foreigners to hack military networks may sound unsafe, Air Force Chief Information Security Officer Peter Kim says the DOD frequently works with partner nations on initiatives to boost cybersecurity.

"We get a diversity of efforts that will make sure we have looked at our security from every angle," Kim told Nextgov. "By allowing the good guys to help us, we can better level the playing field and get ahead of the problem instead of just playing defense."

Bug bounties recruit ethical or white-hat hackers to find security holes within an organization’s computer networks. Vulnerabilities can range from low-risk flaws to major gaffes capable of corrupting the entire network or exposing sensitive information. When a hacker finds one, she reports it to the group and usually receives compensation based on the severity of the bug.

Many corporations use the initiatives to protect themselves against malicious black-hat hackers, who look to exploit holes in security or to sell exploitable vulnerabilities to cyber crime organizations. The cybersecurity platform HackerOne organized all three of DOD’s bug bounties, and last year signed a contract to run similar programs for the department in the future.

“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion—and in this case, hundreds of second opinions—on the health and security of our online infrastructure,” Kim said in a statement.

The program ran from May 30 to June 23 and drew 272 security researchers to 13 of the branch’s public-facing sites. Hackers reported the first vulnerability less than a minute after the program launched. Of the 207 security holes they found, nine were classified as either critical or high severity.

Payouts ranged from $100 to $5,000 per bug, and hackers received more than $130,000 in rewards. The top earner was a 17-year-old, who alone submitted 30 valid vulnerabilities.

Bug bounties went mainstream in 2010 after Google launched its vulnerability rewards program, though the concept dates back decades earlier. Tech companies like Google have armies of staff engineers that test their systems, but even those armies can’t root out all the exploitable vulnerabilities in the company’s millions of lines of software code.

Structured programs like Hack the Air Force have helped legitimize the practice in recent years, but white-hat hackers have historically occupied a legal gray area.

In the U.S., security researchers frequently find themselves at odds with the Computer Fraud and Abuse Act, a 1986 law that criminalizes unauthorized access to computers and networks. Under the legislation, companies can swamp hackers in lawsuits for uncovering flaws in their systems, even if the person revealed the bug to the organization.

The law has come under sharp criticism, particularly after the suicide of internet activist Aaron Swartz, who was prosecuted under the law for writing a computer program that downloaded mass articles from the online library JSTOR using a Massachusetts Institute of Technology log in.

HackerOne lays out the rules for bug bounty participants, but the company’s Chief Executive Officer Marten Mickos said it’s incorrect stereotypes that give hackers a bad rap. Some people have bad intentions, he said, but the effectiveness of his company shows they’re in the minority.

“We bring all the good guys together, and when we have all of them it far outnumbers the bad guys,” said Mickos. “That’s why this business model works.”

The government has already contracted HackerOne to run a bug bounty at the General Services Administration, and programs at military bases.The Homeland Security Department may not be far off. But Mickos sees enormous potential for his self-described “talent agency” for the world’s best hackers in both the public and private spheres.

As a former senior vice president of Hewlett-Packard and CEO of multiple technology companies, he has seen security fail to keep up with the rapid progression of software. Bug bounty programs can offer developers a way to constantly test their products’ security.

Bug bounties bring fresh eyes to firms that may fail to recognize their own security flaws, Mickos said. By looking at the software from the same angle as potential criminals, participants can point out the vulnerabilities they will most likely exploit.

“In the past, people looked for security inside, in small groups and in secrecy,” Mickos said. “Now we are showing that, to be the most secure, you have to invite the external world to help you.”

NEXT STORY: Here’s How the US Military Wants to Counter ISIS Drones and Roadside Bombs

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.