Air Force hackathon pays out $104,000

In its second hackathon, the Air Force paid out a record amount in bounties after extending the December program 20 days.

By andriano.cz stock illustration ID: 319582172
 

The Air Force paid hackers nearly $104,000 for round two of its extended hackathon, but found fewer vulnerabilities.

Hack the Air Force 2.0 initially launched Dec. 9 in New York, racking up 55 vulnerabilities in nine hours and paying $26,883 for the discoveries.

The service, which partnered with HackerOne to run the event, extended the hackathon 20 days and paid $103,883 for a total of 51 vulnerabilities discovered during that time period. The highest single bounty paid was $12,500, which is the most awarded for a federal bug program.

Bug bounty programs have been heralded for their success in finding and correcting security flaws in a short amount of time. But Congress has also criticized them because of the potential of nefarious parties using bounty programs to hold vulnerabilities hostage for ransom.

Uber drew criticism earlier this month for having paid hackers to get back stolen data through the company's bug bounty program.

In a February Senate hearing, Uber's chief information security officer, John Flynn, was grilled on the incident, admitting the company acted inappropriately, while fellow panelists both touted the effectiveness of bounty programs and warned that setting bounties too high could backfire, attracting the wrong talent.

HackerOne's chief technology officer Alex Rice wrote in a blog post following the hearing that "All bounty amounts should adhere to clear, published policies. Never increase bounty amounts in response to demands, opening the door to dangerous quid pro quo negotiations."

Hackers have discovered more than 3,000 vulnerabilities in federal systems, including Hack the Pentagon, since the first programs were formalized in 2016.

"We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round," Air Force CISO Peter Kim said in a statement announcing the hackathon results. "This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come."