The US Department of Homeland Security is launching its own bug bounty program to help find and correct gaps in its systems.
The new "Hack DHS" program was made official by Homeland Security Secretary Alejandro Mayorkas in a press release on the agency's website after it was revealed at the recent Bloomberg Technology Summit and covered by The Record. The program promises to pay out between $500 and $5,000 to "vetted cybersecurity researchers who have been invited to access select external DISH systems." The actual payout will be based on the severity of the specific vulnerability discovered.
As noted by DHS, this new bounty program builds on similar private-sector efforts and "Hack the Pentagon," a first-of-its-kind program launched in 2016 that was ultimately responsible for identifying over 100 vulnerabilities across various Defense Department assets. The DHS itself created a similar pilot program in 2019 on the back of a bipartisan bill. It followed related efforts from the Department of Defense, Air Force, and Army.
"The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors," Mayorkas noted.
The effort will include three phases that will run throughout FY 2022. In the first phase, hackers will be called on to conduct "virtual assessment" on select DHS systems. This will be followed by a "live, in-person hacking event" during phase two, and an identification and review process during the third and final phase.
The DHS noted that it will use the data collected during this process to both plan for future bug bounties, and to develop "a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience."
Like previous government programs of a similar nature, this one will be governed by rules orchestrated by the DHS' Cybersecurity and Infrastructure Security Agency (CISA), with all participants required to fully disclose any information that could be useful in mitigating and correcting the vulnerabilities they discover.
The hope for programs like this one is to privately discover and patch holes without relying on external security researchers or random discoverers to do the scrupulous thing and inform the vendor/agency before releasing a vulnerability into the wild. This effort appears particularly timely in a world where governments, businesses, and just about everyone that owns a computer continue to deal with the fallout from the very public disclosure and rapid exploitation of the Log4j vulnerability.