Nextgov reports on the Air Force paying out over $100,000 in a public web site bug bounty:
The Air Force paid out nearly $104,000 to a cohort of white-hat hackers as part of Hack the Air Force 2.0, the Pentagon’s most recent bug bounty competition. During the 20-day competition, participants uncovered 106 security vulnerabilities across roughly 300 of the branch’s public-facing websites.
“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” said Air Force Chief Information Security Officer Peter Kim in a statement. “This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.”
The event kicked off Dec. 9 with a hackathon in New York City that partnered military cyber specialists with an A-list group of 25 ethical hackers from the United States, Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia. Participants discovered two bugs within the first 30 seconds of the competition and another 53 by the end of the day, earning a total of $26,883 in bounties.
This is a smart move. It is an inconsequential amount of money in the context of the entire Air Force budget, and likely far less expensive than paying an overpriced defense contractor to perform an assessments. Plus, these are motivated people who are really interested in helping.
All around, it helps the Air Force find and fix vulnerabilities all while cultivating good will within the security industry.