Hackers find Air Force vulnerability for biggest government bug bounty reward yet

A pair of white-hat hackers managed to find a critical vulnerability in an Air Force public website that let them access the Defense Department’s unclassified internal network.

Fortunately for the Air Force, it came as part of its Hack the Air Force 2.0 bug bounty, which it kicked off during the h1-212 hacking event in New York. The service invited non-Air Force hackers to seek out vulnerabilities in 300 of its public websites. The Dec. 9 event brought together security teams and ethical hackers “to discover as many vulnerabilities as possible,” according to HackerOne, the organization the Air Force contracted to host the bounty.

The service paid the security professionals, Brett Buerhaus and Mathias Karlsson, $10,650 for discovering the flaw. It’s the largest payout yet in a government bug bounty, though the top prize, according to the Air Force, could’ve been as much as $50,000.

“I didn’t expect how willing they were to work with us to figure out the issue and see how impactful it was,” Buerhaus told HackerOne. “There’s such a perception of the government being closed off and ready to sweep issues under the rug. It was great seeing how excited they were to work with us. This honestly changes everything, and it’s clear they care about working with us to protect their interests.”

At the end of the nine-hour day day, the Air Force paid out $26,883 in bounties and triaged each of the 55 reported vulnerabilities.

HackerOne has hosted other bug bounties for the Defense Department, most notably Hack the Pentagon, which was the first such bounty operated for a federal agency. According to HackerOne, “DoD has resolved over 3,000 vulnerabilities in public facing systems with bug bounty challenges and the ongoing [vulnerability disclosure program], and hackers have earned over $300,000 in bounties for their contributions — exceeding expectations and saving the DoD millions of dollars.”

To the delight of Air Force officials, it took participants less than 30 seconds to find the first vulnerabilities.

“Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses,” Peter Kim, Air Force chief information security officer, said in a release. “We’re greatly expanding on the tremendous success of the first challenge by targeting approximately 300 public facing Air Force websites. The cost-benefit of this partnership in invaluable.”

Hack the Air Force 2.0 isn’t over, though. The service will continue accepting vulnerability reports until Jan. 1, 2018, from citizens in The Five Eyes countries — Australia, Canada, New Zealand, United Kingdom and United States — as well as those from NATO countries and Sweden. The inclusion of so many countries “makes the Hack the Air Force 2.0 challenge the most open government bug bounty program to-date,” HackerOne said.