author photo
By Clare O’Gara
Tue | Oct 1, 2019 | 3:15 AM PDT

Thinking of implementing a bug bounty program at your organization?

You might want to take a page from what the U.S. Air Force has found.

The results of the first Air Force bug bounty program for its cloud platform, the Common Computing Environment (CCE), are now in.

It was a successful three-month pilot, and now the program may  expand.

TechTarget SearchSecurity covered the story:

The program, which was managed by Bugcrowd, invited around 50 pre-approved security researchers and bug hunters and discovered 54 vulnerabilities within the CCE over the three-month span.

A total of $123,000 was paid out to researchers, including a top prize of $20,000.

James Thomas of the Air Force Digital Service, which is part of the Digital Defense Service (DDS), told SearchSecurity the most significant vulnerabilities involved access control issues that allowed researchers to obtain roles and configurations to which they were not assigned.

The Air Force bug bounty submissions were immediately addressed and patched, and Thomas said the DDS team learned valuable lessons from three-month program, which was the longest bug bounty yet for the Air Force.