Apr 05 2019

Air Force Used White Hat Hackers to Target Its Maintenance System

The exercise, which the service branch recently publicized, could lead to more bug bounties.

The Air Force is continuing to invest in bug bounty programs to identify cybersecurity vulnerabilities. The service branch recently disclosed a new one in which it hired certified ethical hackers to demonstrate what would happen if an insider “went rogue” and attacked the Air Force’s maintenance system.  

This past fall, the Reliability and Maintainability Information System program office at Wright-Patterson Air Force Base, was intentionally hacked by “white hat” hackers from bug bounty company Synack. REMIS is the “central, common source of all unclassified maintenance information for Air Force weapon systems.” The Air Force wanted to test how much “damage” or “malice” an authorized user could accomplish, according to an Air Force press release. 

Over four weeks, 73 hackers spent more than 1,700 man-hours testing REMIS for vulnerabilities and weaknesses, ultimately identifying 12 vulnerabilities with varying severities. The REMIS program office and the REMIS contractor, Northrop Grumman, were able to immediately fix 11 of the vulnerabilities and are taking steps to mitigate the remaining vulnerability, according to the press release. Overall, senior Air Force leaders were pleased with the results.


“The objective of this exercise was not only to assess the strength of REMIS’ cybersecurity posture, but to learn how to most effectively establish an enterprise level bug-bounty for the entire Logistics-Information Technology portfolio,” the Air Force says. The latest effort lays the foundation for “a broader friendly hack that will further the cybersecurity of Air Force logistics systems,” according to the release.

The first Hack the Pentagon bug bounty program occurred in 2016, as the Defense Department used crowdsourced cybersecurity expertise to detect hundreds of vulnerabilities in its public websites. Since then, the DOD has conducted a total of 11 bug bounty programs, including sessions examining the Army, Air Force, Defense Travel Service and the Marine Corps, FedScoop reports.