The payout is the largest ever in the US government's bug bounty program, which encourages hackers to hunt down and flag system vulnerabilities in return for cash prizes.
Security professionals Brett Buerhaus and Mathias Karlsson discovered the flaw during the Hack the Air Force 2.0 bug bounty event in New York December 9. According to HackerOne, a vulnerability disclosure and bug bounty company contracted by the Department of Defense, the service invited non-Air Force hackers to "discover as many vulnerabilities as possible" in 300 of its public websites. The Air Force also sent a team of airmen from the 90th, 315th and 390th Cyber Operations Squadrons to work with outside security members to discover security gaps.
"I didn't expect how willing they were to work with us to figure out the issue and see how impactful it was," Buerhaus told HackerOne. "There's such a perception of the government being closed off and ready to sweep issues under the rug. It was great seeing how excited they were to work with us. This honestly changes everything, and it's clear they care about working with us to protect their interests."
At the end of the nine-hour hackathon, the Air Force dished out a total of $26,883 in bounties and triaged the 55 discovered vulnerabilities.
Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses. We're greatly expanding the tremendous success of the first challenge by targeting approximately 300 public-facing Air Force websites. The cost-benefit of this partnership is invaluable," Peter Kim, Air Force chief information security officer, wrote in a recent statement.
According to Maj. Gen. Christopher Weggeman, commander of the 24th Air Force, "This was a first to showcase our offensive capabilities in an official capacity alongside private and commercial sectors and international partners. Not only does this program strengthen those partnerships, it allowed the Air Force to both teach and learn from the best and brightest outside of the [Department of Defense]," the Air Force reported in a press release last week.
HackerOne is a commonly contracted firm for this sort of work, having worked on Hack the Pentagon back in April 2016, the first such bounty conducted for a federal agency.
"The Department of Defense has resolved over 3,000 vulnerabilities in public-facing systems with bug bounty challenges and the ongoing [vulnerability disclosure program], and hackers have earned over $300,000 in bounties for their contributions — exceeding expectations and saving the Department of Defense millions of dollars," according to HackerOne.
Hack the Air Force 2.0 is still going. The service will continue to receive vulnerability reports from other countries, including Australia, Canada, New Zealand, the United Kingdom and Sweden, until January 1.
The participation of several countries "makes the Hack the Air Force 2.0 challenge the most open government bug bounty program to date," HackerOne said.