Hack the Air Force 3.0 – New vulnerability bounty program

This is the third computer error-reporting rewards program launched by the US Armed forces

The United States Air Force launched its third vulnerability bounty program earlier this week, called ‘Hack the Air Force 3.0’, in collaboration with HackerOne, report specialists in digital forensics at the Institute International cyber security.

“The Air Force appreciates the interest of cybersecurity professionals for participating in the ‘Hack the Air Force 3.0’ vulnerability bounty program”, mentioned US Department of Defense (DoD) in its published announcement.

“This is an effort for the US Air Force Department to explore new approaches to its security and adopt the best practices used by the world’s leading software, computer security and digital forensics companies”. In doing so, the US Air Force will be able to ensure that its systems and combatants are as safe as possible”.

The program began on October 19 and will last a little over a month; its completion is scheduled for November 22nd.

Hack the Air Force 3.0 is the largest vulnerability bounty program that the US government has deployed so far, involving up to 600 researchers and specialists in information security, digital forensics and ethical hacking.

“Hack The Air Force 3.0 is a sign of the commitment that the US armed forces have taken to repair the vulnerabilities that pose critical risks to our networks”, said Wanda Jones-Heath, the USA Air Force Information Security Director.

Participants will need to find vulnerabilities in Defense Department applications, 70% of participants will be selected by the HackerOne system and the remaining will be selected randomly.

The bounty program is also open to any US inhabitant, as defined in section 7701 (a) (30) of the Internal Revenue Code, including US government contractors as well. The program is also open to foreign citizens who are not on the list of specially designated nationals of the US Department of the Treasury, and who are not citizens of China, Russia, Iran and the Democratic People’s Republic of Korea.

“If someone sends a valid report according to program specifications, they must wait for a criminal and security background check before receiving the stipulated reward. Specific information on eligibility for payment will be provided once the program has accepted a valid report”, the Department of Defense mentions in its publication.

The minimum payment set by the program is $5k USD for a critical vulnerability report.

Hack the Air Force’s first rewards program was launched by the United States Air Force in April 2017 to test the security of its computer networks and systems.

Since its launch, this program has enabled more than 200 critical vulnerabilities to be discovered and delivered over $130k USD. In February 2018, HackerOne announced the results of the second round of the US Air Force vulnerability bounty program, Hack the Air Force 2.0. This time, the US government paid over $100k USD for about 100 vulnerability report.