Connect with us

Hi, what are you looking for?



Hack DHS Act Establishes Bug Bounty Program for DHS

Following what is now widespread practice among private industry tech giants, a new bill proposes to force the DHS to introduce its own public-sector bug bounty program.

Following what is now widespread practice among private industry tech giants, a new bill proposes to force the DHS to introduce its own public-sector bug bounty program.

Senators Maggie Hassan (D-NH) and Rob Portman (R-OH) introduced the Hack Department of Homeland Security (DHS) Act on 25 May. Designated S.1281, it is described as “A bill to establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes.”

At the time of writing, there is no publicaly published text for the bill. Nevertheless, lists it as having been read twice and referred to the Committee on Homeland Security and Governmental Affairs.

Hassan publicly announced the new bill on Friday. She described it as designed to “strengthen cyber defenses at DHS by utilizing ‘white-hat’ or ethical hackers to help identify unique and undiscovered vulnerabilities in the DHS networks and data systems.” It is modeled on the bug bounty programs of the tech industry, and last year’s ‘hack the Pentagon’ and ‘hack the Army’ programs.

Spanning April and May 2016, the Department of Defense (DoD) ran ‘Hack the Pentagon‘ via HackerOne. It attracted more than 1400 hackers; 250 of whom submitted at least one vulnerability report. 138 were judged valid and eligible for a bounty from the program’s $150,000 funding. Ash Carter, Secretary of Defense at the time, estimated that the program saved the department more than $800,000 against the cost of a similar exercise via the security industry.

Since then both the Army and the Air Force have engaged similar programs. Hack the Army ran from the end of November to 21 December 2016. 371 white-hat hackers registered and submitted a total of 471 vulnerability reports. Nearly 120 were adjudged actionable and were awarded a total of more than $100,000.

Hack the Air Force was announced in April 2017, and registrations opened on 15 May. The event will take place between May 30 and June 23, and is open to researchers from any of the Five Eyes nations: US, UK, Canada, Australia and New Zealand.

Advertisement. Scroll to continue reading.

“Federal agencies like DHS are under assault every day from cyberattacks,” explained Hassan in her statement Friday. “These attacks threaten the safety, security and privacy of millions of Americans and in order to protect DHS and the American people from these threats, the Department will need help. The Hack DHS Act provides this help by drawing upon an untapped resource — patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens.”

“The networks and systems at DHS are vital to our nation’s security,” said Portman. “It’s imperative that we take every step to protect DHS from the many cyber attacks they face every day. One step to do that is using an important tool from the private sector: incentivizing ethical hackers to find vulnerabilities before others do. I look forward to working with Senator Hassan to move this bipartisan bill forward and helping protect DHS from cyber threats.”

The bill is getting cautious support from the private sector. “The proposed Hack DHS Act seems, on its surface, to be a very positive step forward to helping better secure the nation’s websites and other web-facing infrastructure,” Nathan Wenzler, chief security strategist at security consulting firm AsTech, told SecurityWeek. He pointed to the continuing success of bug bounties in the private sector. “Provided that appropriate measures are taken to vet the individuals who are performing the ethical hacking work, this could end up being a very valuable tool to help improve the security posture of some of the most heavily attacked sites out there.”

Chris Roberts, chief security architect at threat detection firm Acalvio, takes a similar view. Provided that adequate checks are made against the registrants and strict rules are devised and enforced, then “yes, in the ‘spirit’ of hacking it’s good.”

But he warned, “Let’s not devalue the red-team work and have someone hit the systems from all angles and all sides. That way there’s a true perspective. The whole idea of hacking the DHS would be to focus on the weakest links, which are humans and third parties. I’m going to assume those are out of scope, which in reality, makes it kind of a waste of time. On paper, it’s a good idea. But allow us to hit whenever and wherever we want, like a true attacker would and then let’s talk. Until then, it’s simply a face-saving thing which cheapens the whole assessment side of the world.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.