DHS establishes its own bug bounty program, offering outsiders $500 to $5K for discovering flaws
The Homeland Security Department is launching a bug bounty program to invite researchers to probe its systems for flaws, DHS Secretary Alejandro Mayorkas said Tuesday.
Under the “Hack DHS” initiative Mayorkas discussed at the Bloomberg Technology Summit, ethical hackers would receive between $500 and $5,000 for identifying vulnerabilities, depending on their severity. The department would verify flaws within 48 hours and fix them within 15 days, or for complex bugs, develop a plan to do so during that period.
“We’re focused not only on protecting and enhancing the cybersecurity of the private sector and of the federal government at large but, of course, we as a department have to lead by example and so what we are very focused on is identifying vulnerabilities and addressing or remediating those vulnerabilities,” Mayorkas said.
DHS is later to the bug bounty trend than some other federal agencies, with the Defense Department initiating its “Hack the Pentagon” pilot back in 2016. The IRS that same year began the first civilian federal agency bug bounty program.
In January of 2019, President Donald Trump signed a bill into law that directed DHS to develop a test bug bounty program within six months. While Mayorkas didn’t say how much money “Hack DHS” would cost, the Congressional Budget Office estimated that one year of the pilot program under that legislation would cost $250,000.
“We’re really investing a great deal of money, as well as attention and focus on this program,” Mayorkas said of the potentially permanent initiative. A DHS spokesperson didn’t immediately respond to questions about the program’s ongoing cost, kickoff date and more.
The program will, however, run throughout fiscal year 2022, which began in October, according to a DHS announcement.
The bug bounty pilot legislation placed the DHS chief information officer in charge of the program, and gave the office leeway to determine which information systems would be applicable. DHS says that for the fuller program, hackers will work in three phases, conducting assessments first on some external systems, followed by a live in-person hacking event and concluding with a “lessons” learned segment and plan for future events. The CIO will oversee the program with the Cybersecurity and Infrastructure Security Agency.
DOD has been pleased with its program, continually expanding it to authorize hackers to pursue new targets, most recently in May opening it up to all publicly accessible DOD information systems, industrial control systems, the internet of things and more. Throughout its existence, the program has received more than 29,000 vulnerability reports, 70% of which has DOD validated.
“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DOD,” said Brett Goldstein, then-director of the Defense Digital Service.
Critics of bug bounty programs, however, contend that they can undermine security by placing an emphasis on lesser bugs that organizations become too reliant upon in their overall security setups, among other potential ill side effects.
DHS this year did establish a vulnerability disclosure program setting terms for how ethical hackers can notify the department of vulnerabilities. It also issued a directive last year for federal agencies to set up such programs.