The United States Department of Homeland Security (DHS) this week announced the launch of a bug bounty program focused on identifying vulnerabilities in its systems.
Only vetted cybersecurity researchers have been invited to the new ‘Hack DHS’ program, and they will be allowed to hunt for vulnerabilities in specific Department systems, so they can be addressed before malicious actors exploit them.
The program will run in three phases throughout Fiscal Year 2022, starting with the identification of vulnerabilities and moving into a live, in-person hacking event, followed by an assessment period during which DHS will review lessons learned.
Hack DHS will use a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA) and will be monitored by the DHS Office of the Chief Information Officer.
The researchers will report identified flaws to DHS system owners and leadership, providing details on the security defect itself, exploitation methods, and how it may lead to information leakage. Bug bounty rewards will be established based on the severity of the reported flaws – they will range between $500 and $5,000.
The Hack DHS bug bounty program is being launched four and a half years after a bill to establish it was announced, and three years after provisions by Senator Maggie Hassan (D-N.H.), Senator Rob Portman (R-Ohio), Rep. Ted Lieu (D-Calif.), and Rep. Scott Taylor (R-Va.) passed into law.
DHS launched a pilot bug bounty program in 2019. The U.S. government ran various other similar programs, including the Department of Defense’s ‘Hack the Pentagon‘, ‘Hack the Army‘, ‘Hack the Air Force‘, and others.
“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said Secretary Alejandro N. Mayorkas. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity.”
Related: U.S. Government Announces ‘Hack the Army 3.0’ Bug Bounty Program
Related: Microsoft Adds Power Platform to Bug Bounty Program
Related: Switzerland Launches Bug Bounty Program for E-Voting Systems