Air Force hackathon pays out $104,000

By stock illustration ID: 319582172 

The Air Force paid hackers nearly $104,000 for round two of its extended hackathon, but found fewer vulnerabilities.

Hack the Air Force 2.0 initially launched Dec. 9 in New York, racking up 55 vulnerabilities in nine hours and paying $26,883 for the discoveries.

The service, which partnered with HackerOne to run the event, extended the hackathon 20 days and paid $103,883 for a total of 51 vulnerabilities discovered during that time period. The highest single bounty paid was $12,500, which is the most awarded for a federal bug program.

Bug bounty programs have been heralded for their success in finding and correcting security flaws in a short amount of time. But Congress has also criticized them because of the potential of nefarious parties using bounty programs to hold vulnerabilities hostage for ransom.

Uber drew criticism earlier this month for having paid hackers to get back stolen data through the company's bug bounty program.

In a February Senate hearing, Uber's chief information security officer, John Flynn, was grilled on the incident, admitting the company acted inappropriately, while fellow panelists both touted the effectiveness of bounty programs and warned that setting bounties too high could backfire, attracting the wrong talent.

HackerOne's chief technology officer Alex Rice wrote in a blog post following the hearing that "All bounty amounts should adhere to clear, published policies. Never increase bounty amounts in response to demands, opening the door to dangerous quid pro quo negotiations."

Hackers have discovered more than 3,000 vulnerabilities in federal systems, including Hack the Pentagon, since the first programs were formalized in 2016.

"We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round," Air Force CISO Peter Kim said in a statement announcing the hackathon results. "This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come."

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.