The US Air Force announced a new bug bounty programme on Wednesday (26 April), inviting third-party security researchers and white-hat hackers to find security vulnerabilities in some of its key public-facing websites. Dubbed "Hack the Air Force", the programme is the third one launched by the US Department of Defense.
Run in partnership with the bug bounty platform HackerOne, the new campaign expands on the DoD's successful "Hack the Pentagon" bug, which was launched in 2016, by expanding the participation pool beyond just US citizens. For the first time, the department is inviting white hat hackers from certain partner countries — the UK, Canada, Australia and New Zealand — to find flaws in its public sites as well.
These four countries, along with the United States, comprise the "Five Eyes" intelligence alliance.
"This is the first time the Air Force has opened up our networks to such a broad scrutiny," Air Force Chief Information Security Officer Peter Kim said in a statement. "We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture.
"The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities."
Security researchers and hackers from these countries interested in participating in the new bug bounty programme will be required to register when the event opens on 15 May on the HackerOne website. The bug-finding campaign will run from 30 May through 23 June.
The "Hack the Pentagon" initiative was launched in April 2016 as the first bug bounty programme deployed by the federal government. With over 1,400 registered "hackers", the campaign garnered nearly 200 reports within the first six hours of its launch.
The DoD said $75,000 in total bounties were paid out to registered hackers that successfully found vulnerabilities in select DoD websites, including Defense.gov. The "Hack the Army" programme was launched in November 2016.
The Air Force is yet to announce the bounties and additional details for its new bug bounty initiative.
From Microsoft and Google to Chrysler and Nintendo, many private sector companies have launched their own programmes to bolster their own cyberdefenses as well, inviting eagle-eyed researchers to uncover any potentially dangerous flaws that could be exploited by malicious attackers.
"The whole idea of 'security through obscurity' is completely backwards," Chris Lynch, director of the Pentagon's nearly two-year old Defense Digital Service that assists with the department's bug bounty initiatives, said. "We need to understand where our weaknesses are in order to fix them, and there is no better way than to open it up to the global hacker community."