First it was Hack the Pentagon, then last year Hack the Army, and now in 2017 the Air Force is getting in on the bug bounty action.
The original Hack the Pentagon bug bounty program debuted in March 2016 as an effort to enable security researchers to attack a limited set of Pentagon IT assets in a certain time period. The effort was expanded in October 2016 into a wider effort with the Department of Defense Digital Services organization to enable to different branches of the armed forces to benefit from bug bounties.
The U.S Army announced its bug bounty effort in November 2016 as the first engagement under the November 2016 contract. The U.S. Air Force is a further expansion and will allow researchers from the U.S as well as the United Kingdom, Canada, Australia and New Zealand to participate.
"Hack the Air Force has the largest scope of participation yet," Reina Staley, Chief of Staff at U.S Defense Digital Services, told eSecurityPlanet.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Staley noted that the very first DoD pilot bug bounty, Hack the Pentagon, was limited to participation by only US citizens.
"Since the success of Hack the Pentagon and the subsequent Hack the Army bounty, we've been working to continually expand the bounds for participation by everyone," she said. "For this round with the Department of the Air Force, we're excited to include the citizens of a few allied nations."
Much like the other programs that HackerOne runs for the U.S Armed Services, the bug bounty is not an open invitation to hack anything that a security researcher wants. Peter Kim, CISO, US Air Force said that Hack the Air Force will be limited to only public facing web assets.
That means that the Air Force's airborne assets including Unmanned Aerial Vehicles (UAVs), commonly referred to as drones, are not part of the new bug bounty program.
Hack the Air Force is also a time limited program and is not currently an open ended effort. Registration for the bug bounty program opens on May 15, with the program running from May 30 until June 23. That doesn't mean however that the Air Force or other branches of the Department of Defense aren't open to receiving responsible disclosure at other times.
"DDS: The Department of Defense launched a Vulnerability Disclosure Program (VDP) which allows security researchers across the globe to submit discovered vulnerabilities through the HackerOne platform for remediation by DoD security teams," Staley said. "The VDP provides a safe and legal avenue for anyone to report these vulnerabilities at any time, even outside of a bug bounty program."
With the Pentagon, Army and Air Force bug bounty programs underway, the goal for HackerOne and the Defense Digital Services organization is to further expand the effort in the months and years ahead.
"Our aim is for DoD organizations and all military Services to adopt this crowdsourced security tool," Staley said. "It's incredibly important for us to strengthen the assets that support services for our Service members, civilians, and their families around the world."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.