Air Force hackathon pays out $104,000

By stock illustration ID: 319582172 

The Air Force paid hackers nearly $104,000 for round two of its extended hackathon, but found fewer vulnerabilities.

Hack the Air Force 2.0 initially launched Dec. 9 in New York, racking up 55 vulnerabilities in nine hours and paying $26,883 for the discoveries.

The service, which partnered with HackerOne to run the event, extended the hackathon 20 days and paid $103,883 for a total of 51 vulnerabilities discovered during that time period. The highest single bounty paid was $12,500, which is the most awarded for a federal bug program.

Bug bounty programs have been heralded for their success in finding and correcting security flaws in a short amount of time. But Congress has also criticized them because of the potential of nefarious parties using bounty programs to hold vulnerabilities hostage for ransom.

Uber drew criticism earlier this month for having paid hackers to get back stolen data through the company's bug bounty program.

In a February Senate hearing, Uber's chief information security officer, John Flynn, was grilled on the incident, admitting the company acted inappropriately, while fellow panelists both touted the effectiveness of bounty programs and warned that setting bounties too high could backfire, attracting the wrong talent.

HackerOne's chief technology officer Alex Rice wrote in a blog post following the hearing that "All bounty amounts should adhere to clear, published policies. Never increase bounty amounts in response to demands, opening the door to dangerous quid pro quo negotiations."

Hackers have discovered more than 3,000 vulnerabilities in federal systems, including Hack the Pentagon, since the first programs were formalized in 2016.

"We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round," Air Force CISO Peter Kim said in a statement announcing the hackathon results. "This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come."

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.