The United States Air Force launched earlier this week its third bug bounty program, called Hack the Air Force 3.0, in collaboration with HackerOne.
“Thank you for your interest in participating in HackerOne’s U.S. Department of Defense (DoD) “Hack the Air Force 3.0” Bug Bounty challenge.” reads the announcement published by the United States Air Force.
“This is an effort for the U.S. Department of the Air Force to explore new approaches to its security, and to adopt the best practices used by the most successful and secure software companies in the world. By doing so, the U.S. Air Force can ensure its systems and warfighters are as secure as possible.”
The program started on October 19 and will last more than for weeks, its finish is planned for November 22.
Hack the Air Force 3.0 is the largest bug bounty program run by the U.S. government to date, it involves up to 600 researchers.
“Hack the AF 3.0 demonstrates the Air Forces willingness to fix vulnerabilities that present critical risks to the network,” said Wanda Jones-Heath, Air Force chief information security officer.
Participants will have to find vulnerabilities in the Department of Defense applications, 70% of the participants will be selected by the HackerOne reputation system and the remaining will be selected randomly.
The bug bounty is open for U.S. persons as defined by the Internal Revenue Code Section 7701(a)(30), including U.S. Government contractor personnel. The challenge is also open to foreign nationals based on their Government passport, who are not on the U.S. Department of Treasury’s Specially Designated Nationals List, and who are not citizens of China, Russia, Iran, and the Democratic People’s Republic of Korea.
“If you submit a qualifying, validated vulnerability, you may be eligible to receive an award, pending a security and criminal background check. Specific information on payment eligibility will be provided upon acceptance into the challenge.” continues the announcement.
The minimum payout for this challenge is $5,000 for critical vulnerabilities.
The first Hack the Air Force bug bounty program was launched by the United States Air Force in April 2017 to test the security of its the networks and computer systems.
The program allowed to discover over 200 valid vulnerabilities, researchers received more than $130,000. On February 2018, HackerOne announced the results of the second round for U.S. Air Force bug bounty program, Hack the Air Force 2.0.. The US Government paid more than $100,000 for over 100 reported vulnerabilities.
(Security Affairs – Hack the Air Force. bug bounty)