U.S. Air Force Announces Third Bug Bounty Program
6.11.2018 securityweek
BigBrothers

The United States Air Force on Monday announced that it has launched its third bug bounty program in collaboration with HackerOne.

Hack the Air Force 3.0 is the largest bug bounty program run by the U.S. government to date, spanning 191 countries and lasting more than four weeks.

The program started on October 19 and it will end no later than November 22. Up to 600 researchers who have registered will be invited to find vulnerabilities in Department of Defense applications that were recently migrated to a cloud environment owned by the Air Force.

Roughly 70 percent of the participants will be selected based on their HackerOne reputation score and the rest will be picked randomly.

The Pentagon claims it’s offering “competitive bounty awards,” with a minimum payout of $5,000 for critical vulnerabilities.

“Hack the AF 3.0 demonstrates the Air Forces willingness to fix vulnerabilities that present critical risks to the network,” said Wanda Jones-Heath, Air Force chief information security officer.

The first Hack the Air Force generated over 200 valid vulnerability reports, which earned researchers more than $130,000. In the second installment, the DoD paid out over $100,000 for 106 vulnerabilities discovered by 27 white hat hackers.

Last month, the DoD announced that the Hack the Marine Corps bug bounty program resulted in payouts totaling more than $150,000 for nearly 150 unique flaws.

The DoD recently informed bug bounty hunters that its “Hack the Pentagon” program will run all year long and will target the organization’s high-value assets. This initiative is powered by crowdsourced security platform Bugcrowd.