The Air Force's "Hack the Air Force" program, which crowdsources cybersecurity testing on its public-facing systems, uncovered 207 patchable security flaws in a little under a month.
"It was the most successful [Department of Defense] bug bounty so far," said Marten Mickos, chief executive of the contractor HackerOne, which ran the program for the Air Force and similar "Hack the Pentagon" and "Hack the Army" programs in the past.
The Air Force and HackerOne released final statistics on "Hack the Air Force," which ran from May 30 to June 23, on Thursday. The so-called bug bounty program turned up 70 more flaws than the Pentagon's program and 90 more flaws than the Army's.
The raw number of security vulnerabilities discovered is not necessarily the best measure of the success of a bug bounty program because some security flaws are more severe than others. But the bounties are tied to the severity of the bugs that are found, and "Hack the Air Force" awarded more than $130,000 — outpacing the Army's bounty program by $30,000.
The Air Force program relied on a vetted field of hackers who applied to participate. For the first time in a Department of Defense program, overseas participants were included. Foreign hackers discovered around a quarter of the flaws.
The top earner, said Mickos, is 17 years old.
“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion — and in this case, hundreds of second opinions — on the health and security of our online infrastructure,” Peter Kim, U.S. Air Force chief information security officer, said in a press release.