Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

U.S. Government Launches ‘Hack DHS’ Bug Bounty Program

The United States Department of Homeland Security (DHS) this week announced the launch of a bug bounty program focused on identifying vulnerabilities in its systems.

The United States Department of Homeland Security (DHS) this week announced the launch of a bug bounty program focused on identifying vulnerabilities in its systems.

Only vetted cybersecurity researchers have been invited to the new ‘Hack DHS’ program, and they will be allowed to hunt for vulnerabilities in specific Department systems, so they can be addressed before malicious actors exploit them.

The program will run in three phases throughout Fiscal Year 2022, starting with the identification of vulnerabilities and moving into a live, in-person hacking event, followed by an assessment period during which DHS will review lessons learned.

Hack DHS will use a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA) and will be monitored by the DHS Office of the Chief Information Officer.

The researchers will report identified flaws to DHS system owners and leadership, providing details on the security defect itself, exploitation methods, and how it may lead to information leakage. Bug bounty rewards will be established based on the severity of the reported flaws – they will range between $500 and $5,000.

The Hack DHS bug bounty program is being launched four and a half years after a bill to establish it was announced, and three years after provisions by Senator Maggie Hassan (D-N.H.), Senator Rob Portman (R-Ohio), Rep. Ted Lieu (D-Calif.), and Rep. Scott Taylor (R-Va.) passed into law.

DHS launched a pilot bug bounty program in 2019. The U.S. government ran various other similar programs, including the Department of Defense’s ‘Hack the Pentagon‘, ‘Hack the Army‘, ‘Hack the Air Force‘, and others.

“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said Secretary Alejandro N. Mayorkas. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity.”

Related: U.S. Government Announces ‘Hack the Army 3.0’ Bug Bounty Program

Related: Microsoft Adds Power Platform to Bug Bounty Program

Related: Switzerland Launches Bug Bounty Program for E-Voting Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.