ARLINGTON, Va. — The Defense Department is expanding its hacking bounty program to find security vulnerabilities, with the Air Force widening the hacker pool to include nationals of select foreign countries.
The Air Force issued an invitation Wednesday for “vetted” white-hat hackers from the United States, United Kingdom, Canada, Australia and New Zealand to try to infiltrate the service’s websites.
“This outside approach — drawing on the talent and expertise of our citizens and partner-nation citizens — in identifying our security vulnerabilities will help bolster our cybersecurity,” Air Force Chief of Staff Gen. David Goldfein said in a statement. “We already aggressively conduct exercises and ‘red team’ our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team.”
Registration for hackers begins May 15, with the hackathon running from May 30 to June 23. Any members of the military or members of the civilian workforce won’t be eligible for the reward cash. Last year’s “Hack the Pentagon” event paid out $75,000 to hackers who found bugs.
“This is the first time the AF has opened up our networks to such a broad scrutiny,” said Air Force Chief Information Security Officer Peter Kim. “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”
One of the winning Pentagon hackers last year was a high school student from the Beltway, who joined then-Defense Secretary Ashton Carter at the DoD’s June award ceremony.
“For them and many others, this was about more than a reward or a bounty, it was about an opportunity to contribute to making our country safer,” Carter said.
Carter said that out of 1,400 hackers invited to take part in the pilot challenge, more than 250 participated from 44 states and discovered one or more vulnerability reports.
Those reports were then sent through a contractor, HackerOne, to determine if they were “legitimate, unique and eligible for a bounty.” Out of the reports, 138 made the cut.
Carter said the cyber security flaws uncovered “would have been trouble,” and “that’s why they’re eligible for a reward.”
The rewards were “not a small sum,” he said, “but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million.”