A pair of hackers discovered a vulnerability in Air Force software that allowed them to gain access to the Department of Defense’s unclassified network—a find that earned them more than $10,000, the largest payout ever in a government bug bounty program.
Security researchers Brett Buerhaus and Mathias Karlsson uncovered the vulnerability during Hack the Air Force, a bug bounty program similar to the Hack the Army and Hack the Pentagon programs run by the US Defense Department.
Bug bounty programs, which reward hackers who find vulnerabilities with cash, are common in the tech industry. But the US government has been a bit slower to adopt them, for several reasons: Federal agencies have stricter guidelines about how they can spend their budgets, and they’re a bit more cautious about opening themselves up to hackers. But that’s been changing slowly since the Defense Department launched its first bug bounty last year.
“I didn’t expect how willing they were to work with us to figure out the issue and see how impactful it was,” Buerhaus said in a statement. “There’s such a perception of the government being closed off and ready to sweep issues under the rug. It was great seeing how excited they were to work with us. This honestly changes everything, and it’s clear they care about working with us to protect their interests.”
Over the course of just nine hours, Buerhaus, Karlsson, and dozens of other participating hackers were able to find 55 vulnerabilities in Air Force software. The program will continue through January 1, giving hackers even more time to find flaws.
Bauerhaus and Karlsson will split the $10,650 bug bounty, which is more than twice the previous top Hack the Air Force bug bounty payout. The first Hack the Air Force challenge, which was held earlier this year, paid a top bug bounty of $5,000. Hack the Army and Hack the Pentagon have each maxed out around $3,000. (These are just the public payouts, though, and private bounties might be higher.)
“Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses,” Air Force chief information security officer Peter Kim said in a statement. “We’re greatly expanding on the tremendous success of the first challenge by opening up approximately 300 public facing AF websites. The cost-benefit of this partnership is invaluable.”