Thomas Phippen, DCNF
A 17-year-old hacker discovered 30 vulnerabilities on the Air Force’s “bug bounty” program this summer, and got paid to do it.
Hundreds of participants accepted the challenge to hack the Air Force this summer and found 207 individual vulnerabilities in the services’ online systems, nine of which were either critical or severe, the Air Force said in a statement Thursday.
High school student Jack Cable made it to the top of the leaderboard and won the biggest payout after finding 30 valid vulnerabilities. The Pentagon paid out more than $130,000 in prizes, with each vulnerability being worth between $1,000 and $5,000 a piece.
Cable said he discovered a vulnerability that when exploited allowed him to “access all the user data that was on the website and I could change anything that I wanted to,” Cable told Marketplace in an interview.
Cable and his competitors were recruited through HackerOne, a company that brings together “ethical hackers” to search for vulnerabilities in government and corporate systems. The Department of Defense contracted with HackerOne for three bug bounty programs so far. These included the Hack the Pentagon event in 2016, which discovered 138 vulnerabilities, and Hack the Army initiative this spring, which found 118 security gaps.
The bug bounty event lasted from May 30 to June 23, allowing 272 hackers to look at 13 Air Force websites. The event included foreign hackers for the first time in the Pentagon’s bug bounty history.
“We get a diversity of efforts that will make sure we have looked at our security from every angle,” Peter Kim, Air Force’s chief information security officer, told Nextgov. “By allowing the good guys to help us, we can better level the playing field and get ahead of the problem instead of just playing defense.”
Asked why he works as “a good guy,” Cable told Marketplace. “it’s really risky if you try to exploit vulnerabilities that you find.”
“You could wind up in jail or be sued by different companies,” Cable said. “The advantages of these bug bounty programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.”
“We bring all the good guys together, and when we have all of them it far outnumbers the bad guys,” HackerOne CEO Marten Mickos told Nextgov. “That’s why this business model works.”
“Adversaries are constantly attempting to attack our websites, so we welcome a second opinion—and in this case, hundreds of second opinions—on the health and security of our online infrastructure,” Kim said in a statement.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [email protected]
Latest posts by BPR Wire (see all)
- Trump’s new task force is putting private businesses in charge of workforce training - October 18, 2017
- ICE to step up operations against companies that hire illegal immigrants - October 18, 2017
- Actress Jessica Chastain says it’s time for hypocritical Hollywood to ‘practice what we preach’ - October 18, 2017