How the Air Force used a bug bounty program to hack its own cloud server

The Air Force paid out $123,000 to researchers who found vulnerabilities in the organization's move to the cloud. Here's why.

5 reasons to start a bug bounty program Why invite people to look into your code and try to find flaws? Here are five good reasons.

With nearly 70% of organizations moving business-critical applications to the cloud, cloud migration is sweeping the enterprise. This even holds true in government agencies, as the US Air Force began moving more than 100 apps to the cloud in late 2016, our sister site CNET reported. 

SEE: Cloud providers 2019: A buyer's guide (free PDF) (TechRepublic)

However, the rise of cloud technology also brings a slew of safety and security concerns. To test its cloud security strength, the Air Force called upon ethical hackers to engage in a bug bounty program, in which white hat hackers and researchers are paid out for finding security flaws in systems before cybercriminals do. 

"While the CCE [Common Computing Environment] platform has a significant number of security measures in place, it was still important to test the environment from an external and internal perspective," James Thomas, lead at Air Force Digital Service, told TechRepublic. 

In partnership with Bugcrowd researchers, the Air Force's bug bounty program uncovered 54 vulnerabilities in the cloud server. The payout over the course of the program totaled at $123,000, with the highest payout bringing in $20,000, according to Thomas. 

Bug bounty programs are meant to discover vulnerabilities before malicious hackers do. Many major companies have launched these programs in the past, including Microsoft, HP, Dropbox, and more. 

"The most significant findings were vulnerabilities involved with researchers being able to access certain roles or configurations that they were not assigned to," Thomas said. "Even though these vulnerabilities only existed within escalated privileges accounts, these submissions were immediately remedied and were great lessons learned for future development.'

The Digital Defense Service is also set to announce the extensive results of the bug bounty program on Thursday at the hacker conference Defcon in Las Vegas. 

How to start a bug bounty program

While it may seem unusual to bring in outside individuals to try and hack your own systems, "the benefits that come with this type of testing far outweigh the risks," Thomas said. "Bug bounties allow platform owners to strictly focus on the remediation and retest of their assets, instead of finding vulnerabilities themselves."

When beginning the process of starting a bug bounty program, organizations must get buy-in early on, according to Grant McCracken, director of solutions at Bugcrowd. 

"A successful program starts well before it goes live," McCracken told TechRepublic. "Getting internal buy-in throughout the process, and especially from the top, is the best way to ensure all parties are aligned on the program goals and business needs—so that when the time comes to execute, all stakeholders are in agreement."

Security measures shouldn't stop when the bug bounty is over, Thomas added. 

"No organization or technology is infallible. Many global companies utilize crowdsourced security to leverage the best and brightest beyond their companies or organizations to strengthen their software and services, and better secure proprietary and consumer data," Thomas said. 

For more, check out Top 5: Reasons you need a bug bounty program on TechRepublic. 

Also see 

cloud-secu.jpg

By Macy Bayern

Macy Bayern is an Associate Staff Writer for TechRepublic. A recent graduate from the University of Texas at Austin's Liberal Arts Honors Program, Macy covers tech news and trends.