The Air Force wrapped its first bug bounty program on June 23 and announced the results on Thursday, finding more vulnerabilities than previous programs run by the Pentagon and Army.
Announced in April, Hack the Air Force — like the Pentagon and Army initiatives before it —sought to create a vulnerability disclosure program in the name of cybersecurity.
According to HackerOne, who was the industry partner with the Air Force, the program boasted:
- 272 eligible hackers
- 207 valid vulnerabilities
- Pay-outs totaling over $130,000 in bounties for an average of $644 per discovered vulnerability
By comparison, Hack the Pentagon netted 138 vulnerabilities and Hack the Army unearthed 118.
The first vulnerability was reported less than a minute after the program’s launch, with another 23 submitted within the first 24 hours.
Participants ran the gambit, including two active-duty military and more than 30 researchers based outside the U.S. The top earner was a 17-year-old hacker who submitted some 30 valid reports.
“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion — and in this case, hundreds of second opinions — on the health and security of our online infrastructure,” said Air Force CISO Peter Kim. “By engaging a global army of security researchers, we’re better able to assess our vulnerabilities and protect the Air Force’s efforts in the skies, on the ground and online.”