Hackers find 122 vulnerabilities — 27 deemed critical — during first round of DHS bug bounty program

More than 450 security researchers working through the Department of Homeland Security’s “Hack the DHS” bug bounty program identified more than 122 vulnerabilities, 27 of which were deemed critical, according to a DHS statement first obtained by CyberScoop.

The agency awarded $125,600 to participants in the program for finding and identifying the vulnerabilities, the agency said in the statement. The researchers, vetted by the agency before participating, were eligible to receive between $500 and $5,000 for verified vulnerabilities, depending on the severity.

The DHS bug bounty program, launched in December 2021, brought the agency up to speed with other agencies that already had bug bounty programs, such as the Department of Defense and the Internal Revenue Service, which both launched their programs in 2016. In January 2019 President Donald Trump signed legislation requiring DHS to develop a test bug bounty program within six months.

DHS was, however, the first federal agency to expand its bug bounty program to find and report log4j vulnerabilities across all public information system assets, the statement said, “which allowed the Department to identify and close vulnerabilities not surfaced through other means.” In December, DHS’s Cybersecurity and Infrastructure Security Agency Director Jen Easterly called the log4j vulnerability one of the most dire she’d ever seen.

“Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity,” DHS Secretary Alejandro Mayorkas said in the statement.

The statement did not disclose the vulnerabilities that were found, nor did it share any information about fixes for the bugs. Under original plans for the DHS program, the agency would verify the flaws within 48 hours of being notified, and fix them within 15 days — or, for more complex bugs, develop a plan to address them.

Bug bounty programs seek to incentivize vetted security researchers to probe agreed-upon computer systems for vulnerabilities within a clearly defined set of parameters. Critics of such programs worry that unscrupulous researchers could sell the vulnerability on the black market for much more than the $5,000 DHS cap, or take the found vulnerability to the software vendor and seek a ransom of sorts.

Friday’s results represent the first phase of the DHS bug bounty program. The second phase will consist of a live, in-person hacking event, while the third will identify lessons learned to inform future bug bounty programs.

“The enthusiastic participation by the security researcher community during the first phase of HACK DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” DHS Chief Information Officer Eric Hysen said in the statement.