International Hackers Find 106 Bugs in US Air Force Websites

One bug discovered during Hack the Air Force 2.0 earned $12,500—the largest federal bounty paid out so far.

Breaking into a federal network usually gets you a one-way ticket behind bars, but sometimes hacking the government ends with a paycheck instead of a prison sentence.

The Air Force paid out nearly $104,000 to a cohort of white-hat hackers as part of Hack the Air Force 2.0, the Pentagon’s most recent bug bounty competition. During the 20-day competition, participants uncovered 106 security vulnerabilities across roughly 300 of the branch’s public-facing websites.

“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” said Air Force Chief Information Security Officer Peter Kim in a statement. “This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.”

The event kicked off Dec. 9 with a hackathon in New York City that partnered military cyber specialists with an A-list group of 25 ethical hackers from the United States, Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia. Participants discovered two bugs within the first 30 seconds of the competition and another 53 by the end of the day, earning a total of $26,883 in bounties.

By the time the program concluded Jan. 1, hackers uncovered 51 more vulnerabilities and earned an additional $77,000. The findings included a bug worth $12,500, the largest single bounty awarded in any federal program to date.

Bug bounty programs recruit ethical or white-hat hackers to find security holes within an organization’s computer networks. Vulnerabilities can range from low-risk flaws to major problems capable of corrupting the entire network or exposing sensitive information.

Hack the Air Force 2.0 marked the fourth government bug bounty hosted by HackerOne, a cybersecurity platform that has now helped the Pentagon uncover more than 3,000 vulnerabilities since 2016.

Unlike the original Hack the Air Force bug bounty, the second iteration was open to citizens of the Five Eyes countries—Australia, Canada, New Zealand, United Kingdom and United States—as well as NATO countries and Swedish citizens.