Bug bounty programs involve organizations sending out recognition and financial rewards, that are offered to those who can identify and report bugs in their software. Bug bounty programs help curb cyberattacks since bugs/vulnerabilities are identified and reported earlier with less risk of being exploited in the wild. For the third time in a row, the United States Air Force has invited members of the public to join its bug bounty program.
The Defense Digital Service began the HtAF program back in 2016. At that time, it was the first bug bounty program launched by the US government. The program saw incredible success that year, with nearly 1400 registered hackers and about 200 submitted reports within the first six hours after launching. That year, $75,000 in bounties was issued.
The year 2017 saw the launch of the HtAF Force 2.0 bug bounty program. A big payout of $10,650 was made to a pair of security experts for finding a flaw in the AF’s website which permitted unauthorized access into the Department of Defense’s internal networks.
In collaboration with HackerOne, the Air Force has launched the “Hack the Air Force 3.0” bug bounty program. Participants of 191 countries can take part. The program is very inclusive, but for a few US-sanctioned countries like: China, Russia, Iran, and the Democratic People’s Republic of Korea.
The name “Hack the Air Force” originates from the Department of Defense’s “Hack the Pentagon,” and allows researchers to find any vulnerabilities and bugs in Air Force websites. This will aid in the strengthening of the Air Force’s cyber posture. The program began on October 19, and will run till November 22. This year, the main focus is Department of Defense applications which had been earlier moved to Air Force-owned cloud environment.
“Hack the AF 3.0 demonstrates the Air Forces willingness to fix vulnerabilities that present critical risks to the network,” these are the words of Wanda Jones-Heath, the Air Force’s chief information security officer.
Just like in other competitive bug bounty programs, rewards are offered according the severity of the vulnerability. A vulnerability tagged as severe will get no less than $5000.