After a successful three-month pilot program with Bugcrowd, the U.S. Air Force is eyeing an expansion of its bug bounty efforts for longer engagements.
Last month, Bugcrowd announced the results of the first Air Force bug bounty program for its cloud platform, known as the Common Computing Environment (CCE). The three-month bug bounty, which began in March, included six different phases for the CCE, which is built on both Amazon Web Services (AWS) and Microsoft Azure. The phases included source code analysis, AWS environment testing, Azure environment testing, black box network-authentication assessment, social engineering engagement and Air Force portal testing.
The program, which was managed by Bugcrowd, invited around 50 pre-approved security researchers and bug hunters and discovered 54 vulnerabilities within the CCE over the three-month span. A total of $123,000 was paid out to researchers, including a top prize of $20,000.
James Thomas of the Air Force Digital Service, which is part of the Digital Defense Service (DDS), told SearchSecurity the most significant vulnerabilities involved access control issues that allowed researchers to obtain roles and configurations to which they were not assigned. The Air Force bug bounty submissions were immediately addressed and patched, and Thomas said the DDS team learned valuable lessons from three-month program, which was the longest bug bounty yet for the Air Force.
“This is especially interesting because it was our first time working with Bugcrowd,” Thomas said. “And it was another first because traditionally our assessments last about four weeks. That’s what we’ve determined to be a good gauge for us.”
Now the DDS team is looking to expand its Air Force bug bounty efforts with programs that will run for longer periods of time and possibly indefinitely.
“The Air Force is very much interested in looking into what a continuous monitoring perspective looks like — they want to have the access where their environment is continuously tested,” Thomas said. “But we didn’t know what that looks like, so this is our first attempt to kind of take a crack at it. We got a lot of good lessons learned out of it. This is a great model that we’re honestly going to focus on in future.”
DDS confirmed it will continue to work with Bugcrowd now that the initial Air Force bug bounty program has concluded. Thomas said the Air Force will likely launch similar programs before exploring longer engagements.
“I do think we know what a good model looks like going forward,” he said. “But at the same time, I think we need to run a couple more of these in conjunction to actually test that out.”
Beyond longer engagements for the Air Force, the Digital Defense Service team has discussed other avenues. Alex Romero, digital service expert at DDS who also helped manage the CCE bug bounty, said he would like to see GSA contractors run their own bug bounties prior to engaging the government.
“It would be my dream that anybody who is selling any sort of software or hardware to the government actually is doing this on their end before they sell that service or product to us,” Romero said. “I don’t like having to test their software after they’ve already given it to us. I think it’s just inefficient, and the earlier on in the process that you can find these bugs, the better.”
Bugcrowd founder, chairman and CTO Casey Ellis said the DDS and Air Force were eager to run a bug bounty program for the CCE and that they “took it with both hands and ran with it.” He added the Air Force, and government customers in general, deserve to be in the conversation about organizations that run effective bug bounties and incorporate both vulnerability reports and researcher feedback into their programs.
“The thing that was incredible about the Air Force program was the people with we were working with got it. They were thoughtful, they volunteered ideas and they listened to our experience,” Ellis said. “It was straight-up extraordinary.”