Hackers Infiltrate DOD, Earn Priciest Government Bug Bounty Reward Ever

Hackers Frans Rosen (left) and Mathias Karlsson collaborate with two USAF airmen during Hack the Air Force 2.0’s live-hacking launch event in New York City. Photo courtesy of HackerOne.

Hackers Brett Buerhaus and Mathias Karlsson earned $10,650 for infiltrating the Department of Defense’s unclassified network through a vulnerability in a USAF website Dec. 9 at a live-hacking event in New York City, launching the second Hack the Air Force program.

Otherwise known as pivoting, Buerhaus and Mathias’s maneuver demonstrated a flaw likely impossible to find without outside help, according to a Defense Media Activity official. “We wouldn’t have found this without you,” James Garrett, DMA’s web chief of operations told the hackers during the event, which was run by bug bounty organizer HackerOne. The two hackers split that one bounty, purportedly the “biggest single reward by any government bug bounty program to-date,” a HackerOne spokesperson wrote Air Force Magazine.

Buerhaus, known in the HackerOne program as ziot, has alone found 223 bugs throughout his time with HackerOne and its various bounties. A list of his HackerOne achievements includes Hacking Hackers (for hacking HackerOne itself in March) and Belle of the Ball (for submitting the month’s top ranked bug, also in March). Also, Buerhaus recently achieved five years’ tenure with the online gaming giant Blizzard Entertainment, for which he earned a sword (apparently that’s the company’s normal tenure gift).

Karlsson, known in the HackerOne program as avlidienbrunn, has 184 bugs to his credit, with public thanks for his work from companies like Uber, Yahoo!, Twitter, Spotify, and 14 others. His pinned tweet tells everyone who visits his page that he hacked online password manager LastPass in the summer of 2016, which he explains how to do step-by-step in a blog for a cybersecurity consulting company he founded. Asked online what advice he’d offer hackers starting out, the 22-year-old said the best advice he ever got was to RTFM, onlinese for “read the [expletive] manual.”

HackerOne’s live-hacking event, coined h1-212, kicked off HackerOne’s larger bug bounty program Hack the Air Force 2.0 (Air Force Magazine reported the results of the first Hack the Air Force bounty program in August). During the launch, seven USAF airmen and 25 civilians—comprising people from the US, Canada, the UK, Sweden, Netherlands, Belgium, and Latvia—hacked USAF networks for nine hours nonstop. They found 55 vulnerabilities, and USAF shelled out $26,883 total in bounties. During this live event, members of the DMA and US Defense Digital Services were onsite to attempt to fix issues as they were reported. According to HackerOne, every report got handled by the end of the launch event.

“As a vulnerability was identified, shortly thereafter, hackers would be attempting to highlight the vulnerability to another team of hackers,” said Lt. Col. Jonathan Joshua, 24th Air Force’s deputy chief of staff. “… But the vulnerability had already been patched. They’d be trying to grab screen shots to prepare a post-day brief, but they couldn’t because the systems were already healthy.”

Hack the Air Force 2 runs 23 days, similar to the first event, and ends Jan. 1, 2018. HackerOne claims it will be the “most open government bug bounty program” ever, and will be open to all citizens from all Five Eyes nations—a group of close allies, made up of the US, Canada, UK, Australia, and New Zealand, who work together and share intelligence and surveillance information—all NATO nations, and Sweden (the previous HTAF1 was open only to the Five Eyes).

To sign up, go here.