Thomas Phippen, DCNF
A 17-year-old hacker discovered 30 vulnerabilities on the Air Force’s “bug bounty” program this summer, and got paid to do it.
Hundreds of participants accepted the challenge to hack the Air Force this summer and found 207 individual vulnerabilities in the services’ online systems, nine of which were either critical or severe, the Air Force said in a statement Thursday.
High school student Jack Cable made it to the top of the leaderboard and won the biggest payout after finding 30 valid vulnerabilities. The Pentagon paid out more than $130,000 in prizes, with each vulnerability being worth between $1,000 and $5,000 a piece.
Cable said he discovered a vulnerability that when exploited allowed him to “access all the user data that was on the website and I could change anything that I wanted to,” Cable told Marketplace in an interview.
Cable and his competitors were recruited through HackerOne, a company that brings together “ethical hackers” to search for vulnerabilities in government and corporate systems. The Department of Defense contracted with HackerOne for three bug bounty programs so far. These included the Hack the Pentagon event in 2016, which discovered 138 vulnerabilities, and Hack the Army initiative this spring, which found 118 security gaps.
The bug bounty event lasted from May 30 to June 23, allowing 272 hackers to look at 13 Air Force websites. The event included foreign hackers for the first time in the Pentagon’s bug bounty history.
“We get a diversity of efforts that will make sure we have looked at our security from every angle,” Peter Kim, Air Force’s chief information security officer, told Nextgov. “By allowing the good guys to help us, we can better level the playing field and get ahead of the problem instead of just playing defense.”
Asked why he works as “a good guy,” Cable told Marketplace. “it’s really risky if you try to exploit vulnerabilities that you find.”
“You could wind up in jail or be sued by different companies,” Cable said. “The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.”
“We bring all the good guys together, and when we have all of them it far outnumbers the bad guys,” HackerOne CEO Marten Mickos told Nextgov. “That’s why this business model works.”
“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion—and in this case, hundreds of second opinions—on the health and security of our online infrastructure,” Kim said in a statement.
Follow Thomas Phippen on Twitter
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [email protected].
DONATE TO BIZPAC REVIEW
Please help us! If you are fed up with letting radical big tech execs, phony fact-checkers, tyrannical liberals and a lying mainstream media have unprecedented power over your news please consider making a donation to BPR to help us fight them. Now is the time. Truth has never been more critical!
- The Florida candidate laser-focused on eradicating horrific animal crimes - March 22, 2024
- Sabo: ‘Rush was our GOAT, there was no equal and he made it look easy’ - February 18, 2024
- Dana Bash appears to want to crawl out of her own skin when Ramaswamy ‘goes there’ on J6 - December 7, 2023
Comment
We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the ∨ icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.
BPR INSIDER COMMENTS
Scroll down for non-member comments or join our insider conversations by becoming a member. We'd love to have you!
