The U.S. Air Force launched a new bug bounty program dubbed “Hack the Air Force” on Wednesday, continuing a trend within the U.S. military that began last year with Hack the Pentagon and Hack the Army.
Before the Pentagon’s bug bounty programs launched, it was illegal to search for vulnerabilities on Defense Department networks. Similar programs are popping up overseas: The U.K. launched a vulnerability coordination pilot program last month meant to improve the disclosure process and find more bugs on U.K. systems.
The Air Force program is directed by HackerOne, the bug bounty platform behind Hack the Pentagon that just raised a $40 million investment in February, and Luta Security, the security consulting firm driving the U.K. program. HackerOne and Luta Security are partnering to deliver up to 20 bug bounty challenges over three years to the Defense Department.
“This outside approach — drawing on the talent and expertise of our citizens and partner-nation citizens — in identifying our security vulnerabilities will help bolster our cybersecurity,” Air Force Chief of Staff Gen. David Goldfein said in a statement. “We already aggressively conduct exercises and ‘red team’ our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team.”
Bug bounty programs, which are credited in part for the increasing rarity of zero-day exploits, are widely adopted in the tech sector but still remain foreign to most large organizations.
“Not as many bug bounties are launching as one might think,” Katie Moussouris, founder of Luta Security, said. “In fact, while the numbers are increasing, most governments and even the largest Fortune 500 companies lack even the most basic vulnerability reporting capabilities.”
Meanwhile, dark net markets have launched bug bounty programs in an effort to harden their security against adversaries that might put them out of business or in prison.
Hackers from the United States, United Kingdom, Canada, Australia and New Zealand — the Five Eyes intelligence alliance — are eligible to participate in Hack the Air Force. Hackers must pass a rigorous background test and have a clean criminal record in order to participate. That excludes many talented individuals, some critics say, but close control is one of the common denominators across all of the Pentagon’s bounty programs.
Last year, the Pentagon awarded over $75,000 in bounties when more than 1,4000 participating hackers found 138 vulnerabilities in Defense Department systems.
Registration for Hack the Air Force begins on May 15. The contest launches on May 30 and will last until June 23.