Air Force security hackathon leads to record payout
And there were fewer vulnerabilities than last time around.
The US Air Force's second security hackathon has paid dividends... both for the military and the people finding holes in its defenses. HackerOne has revealed the results of the Hack the Air Force 2.0 challenge from the end of 2017, and it led to volunteers discovering 106 vulnerabilities across roughly 300 of the USAF's public websites. Those discoveries proved costly, however. The Air Force paid out a total of $103,883, including $12,500 for one bug -- the most money any federal bounty program has paid to date.
The event also set a record for speed. On the first day (December 9th), the military and 24 hackers conducted a live event where they reported and fixed flaws as they happened. It took just 9 hours to fix 55 of the potential exploits.
HackerOne is keen to tout this as a success in the larger Hack the Pentagon program. White hat hackers have found over 3,000 holes since the program kicked off in spring 2016, and it's a definite improvement over the 207 flaws found during the original Hack the Air Force from spring 2017. With that said, this shows that there's still a lot of room for improvement. While it's difficult to completely remain up to date (new flaws are bound to pop up), the Air Force isn't yet at the point where exploits are relatively rare.
