Air Force pays pair of hackers over $10K for uncovering major website bug
By DENISSE RAUDA | STARS AND STRIPES Published: December 19, 2017
Seeking to test the security of its 300-plus public-facing websites, the Air Force recently invited — and paid — a group of outside hackers to try to expose system bugs.
Twenty-five civilian computer savants from around the world joined a team of seven airmen from various cyber operations squadrons for Hack the Air Force 2.0, which was held on Dec. 9 in New York City.
The nine-hour event uncovered 55 bugs — two of which were found within the first 30 seconds — netting a government payout of $26,883, according to HackerOne, the company contracted to host and coordinate the event.
A couple of hours into the hackathon, two civilians uncovered a major weakness that exposed the Defense Department’s unclassified network, HackerOne said on its website. The discovery netted Brett Buerhaus and Mathias Karlsson $10,650 — the biggest single reward to date from any government bug-bounty program.
“There’s such a perception of the government being closed off and ready to sweep issues under the rug,” Buerhaus told HackerOne. “It was great seeing how excited they were to work with us.”
Maj. Gen. Christopher Weggeman, 24th Air Force commander, said the event helped the service showcase its offensive capabilities in an official capacity alongside private and commercial sectors and international partners.
“Not only does this program strengthen those partnerships, it allows the Air Force to both teach and learn from the best and brightest outside of the [Defense Department],” he said in an Air Force statement.
Separate Hack the Air Force 2.0 events are scheduled to continue through Jan. 1. Non-Air Force participants could receive cash rewards of up to $50,000 for each vulnerability they identify. For more information, visit the Hack the Air Force 2.0 site.