Humans make mistakes, and vulnerabilities can creep into projects unspotted. The more trusted eyes checking a service – with the approval of the systems’ owners – the better.
It shouldn’t be any surprise at all to hear that people are trying to hack into the United States Air Force’s networks and computer systems.
And, as everyone knows, if you hack into the US Air Force’s systems without their permission you’re breaking the law and – if caught – could face a severe prison sentence.
But there is one way to hack the US Air Force without having the book thrown at you. And you can even legally earn yourself a tidy sum of money at the same time. And that’s by hacking the US Air Force systems with its explicit permission.
Yesterday, the US Air Force used a Facebook live stream to announce a new initiative it was launching with HackerOne called “Hack the Air Force”, inviting white-hat hackers to find security vulnerabilities on its public-facing servers and websites, and offering bug bounty payments for those who discover flaws.
Chief Information Security Officer Peter Kim described the need for the external scrutiny on the security of the US Air Force, which has tens of thousands of public-facing servers:
“We have millions of probes a day, a week, on our DoD systems quite frankly. These are probably people out there, around the world, who particularly aren’t friendly with the Department of Defense. And they generally don’t tell us what’s wrong with our systems until we find out that something’s been hacked. And so I want to turn that around. I want to know beforehand where our vulnerabilities are. I know we have vulnerabilities, and I want to know where those are in the United States Air Force.”
It’s important to point out that the US Air Force isn’t opening itself up to a hacking free-for-all. They are looking for friendly hackers to help them, in order to get ahead of the problem. All of the vulnerability researchers participating in the challenge will need to register on the HackerOne website, and be vetted by HackerOne before they are given the parameters of the task.
Registration for “Hack the Air Force” is scheduled to begin May 15th, via the HackerOne website and is open to United States, UK, Australian, New Zealand, and Canadian citizens, and will run from May 30 to June 23.
Presumably, if successful, the US Air Force may run similar initiatives in the future. Military members and government civilians are not eligible for compensation, but can participate on-duty with supervisor approval.
Details of the bug bounties up for grabs have not been made available, but similar schemes run by the Department of Defense in the past have offered bounty payments of up to $150,000 for those who discover flaws.
I’m a strong believer that it is better to hack yourself (or hire penetration testers) to uncover system vulnerabilities than to wait for a malicious hacker to attack your network.
And, of course, security should be an important consideration throughout a project – not just after it has gone live on a public-facing website.
However, we have to be realistic. Humans make mistakes, and vulnerabilities can creep into projects unspotted. The more trusted eyes checking a service – with the approval of the systems’ owners – the better.