Hackers Find 207 Vulnerabilities in USAF Sites


Hack the Air Force, the so-called bug bounty event, ran from May 30 to June 23. A total of 272 hackers found 207 vulnerabilities across USAF systems. Logo courtesy of HackerOne.

During a nearly month-long hacking competition, 272 vetted hackers descended upon a set of USAF sites, doing their best to break barriers.

Called Hack the Air Force, the so-called bug bounty event ran from May 30 to June 23. HackerOne ran the competition, as it did predecessors Hack the Pentagon and Hack the Army. However, as opposed to previous competitions, this one was open to hackers outside the US, from UK, Australia, New Zealand, and Canada. Thirty three registered hackers hailed from outside the US. Conversely, two hackers were in the US military.

According to HackerOne CEO Marten Mickos, hackers were told their targets some time before the competition, which might be why the first reported vulnerability came less than a minute into the competition. More vulnerabilities were exposed in the Air Force’s bug bounty than the Pentagon equivalent (138) or the Army equivalent (118). In all, 207 valid—unique, among other things—vulnerabilities came in. In the first 24 hours of the competition, hackers submitted 23 vulnerabilities.

“It is a race against time,” Mickos told Air Force Magazine. “It’s important for them to file quickly.” If two hackers submit the same vulnerability, only the original submission gets paid.

For each reported vulnerability, hackers earned cash ranging from $100 to about $5,000, depending on the severity of the vulnerability. Over the course of the competition, hackers earned over $130,000 at an average of $644 per submission.

For example, finding one of the most common vulnerabilities, cross-site scripting (XSS), would garner $100. An XSS bug might be finding a way to add text to a webpage but do little else. This “relatively easy to find” bug isn’t very dangerous, Mickos said. On the other end of vulnerabilities might be something called remote code execution (RCE), or injecting code into a site from the outside and having it execute it. Mickos called RCE bugs critical, adding that when someone is able to accomplish one, that person has “real control” of the site. There were nine $5,000-worthy bounties served, but Mickos couldn’t share details about them, citing cybersecurity.

The top earning hacker was 17 years old (and submitted one of the $5,000 bugs out of a total of 30 submissions) and most of the hackers weren’t much older, Mickos told Air Force Magazine.

“Generally, the average age among all hackers is 20 to 25,” Mickos said. “It’s a skill that you could get good at at a young age, kind of like sports.”

The results of bug bounty programs aren’t just relevant to the uncovered holes in the Air Force’s cyber walls. They also allow the service to inform future coders about potential issues with upcoming systems.

“Our hackers come from the same direction as the adversary, with the same tools and same limitations,” Mickos said, adding that bug bounty programs are proliferating globally, mentioning other customers ranging from Uber to Starbucks. “It’s becoming a big thing in security. It’s interesting to see. Finally, we’re realizing: The best way to protect yourself against bad guys is to reach out to the good guys.”