Vulnerabilities / Threats

12/18/2017
12:30 PM
50%
50%

US Government Pays $10,650 Bug Bounty in 'Hack the Air Force' Event

The bounty, split between two researchers, is the largest single reward by any government bug bounty program to date.

The United States Air Force paid out a total of $26,883 in bug bounty rewards during h1-212, HackerOne's fourth live hacking event of 2017 and kickoff for Hack the Air Force 2.0.

This payout included a single prize of $10,650, the biggest reward from any government bug bounty program to date. Hackers Brett Buerhaus and Mathias Karlsson earned the sum, which they split, for discovering a vulnerability in the Air Force website that let them pivot onto the US Department of Defense's unclassified network.

Twenty-five civilian hackers from seven countries, and seven US Air Force members, reported 55 total vulnerabilities in nine hours of hacking over the course of the day. The average time to first response was 25 minutes, and every report was triaged by the end of the day, HackerOne states. Hack the Air Force 2.0 will continue through Jan. 1, 2018.

Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Cyberspace is much less secure than my old lamp.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6681
PUBLISHED: 2018-07-17
Abuse of Functionality vulnerability in the web interface in McAfee Network Security Management (NSM) 9.1.7.11 and earlier allows authenticated users to allow arbitrary HTML code to be reflected in the response web page via appliance web interface.
CVE-2018-13864
PUBLISHED: 2018-07-17
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.
CVE-2018-14338
PUBLISHED: 2018-07-17
samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realpath function on POSIX platforms (other than Apple platforms) where glibc is not used, possibly leading to a buffer overflow.
CVE-2018-14337
PUBLISHED: 2018-07-17
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length.
CVE-2018-14329
PUBLISHED: 2018-07-17
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink attack.