The Department of Homeland Security (DHS) has this week announced it’s going to run a “Hack DHS” bug bounty program.
As is usually the case with such programs, DHS is inviting security researchers to test its systems and identify cybersecurity vulnerabilities. In return, DHS will hand out bug bounty payments on confirmation of a viable vulnerability. Unlike other programs, though, DHS intends to only allow vetted cybersecurity researchers access to “select external DHS systems.”
Homeland Security Secretary Alejandro Mayorkas explained, “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”
DHS clearly wants to retain tight control over the Hack DHS program and is rolling it out in three phases. The first phase sees (vetted) hackers conduct virtual assessments on certain DHS external systems. Phase two is a live, in-person hacking event, and phase three is an assessment phase for DHS where future bug bounties will be planned. As for the rewards, according to The Record, between $500 and $5,000 will be awarded for each vulnerability.
Why is DHS taking this approach? It’s likely because there’s a longer-term goal of “developing a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience.” It’s also not the first time such a program has been run, with the DoD launching a “Hack the Pentagon” program back in 2016 which resulted in over 250 hackers discovering 138 vulnerabilities.