Air Force launches bug bounty program

The Air Force announced today that it will launch a bug bounty next month for several of its public-facing websites, allowing hackers to seek out vulnerabilities in the sites and exchange them for cash rewards.

Over the past year, the federal government has slowly started to open up to the idea of bug bounty programs. Hack the Pentagon, which launched last April, was the government’s first foray into bug bounties, and the program has since been expanded to include Army websites, as well.

The Air Force bug bounty will be the first federal government program that invites hackers from outside the United States to participate — the challenge will be open to hackers based in the U.K., Canada, Australia and New Zealand, as well as those based in the U.S. Like other federal bug bounties before it, the Air Force program will be administered by HackerOne and will allow military members to participate too (although they’re not allowed to earn rewards).

“This is the first time the AF has opened up our networks to such broad scrutiny,” Air Force chief information security officer Peter Kim said in a statement. “We have malicious hackers trying to get in to our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional vulnerabilities.”

Bug bounties have their roots in private industry, but have been gaining support in the government through the work of the Defense Digital Service, an agency that brings skilled tech workers into the Defense Department for “tours of duty.” 

“The whole idea of ‘security through obscurity’ is completely backwards,” said Chris Lynch of the Defense Digital Service. “We need to understand where our weaknesses are in order to fix them, and there is no better way than to open it up to the global hacker community.”

Hackers who want to participate in the Air Force bug bounty can register with HackerOne starting May 15. The contest kicks off May 30 and closes June 23.