‘Hack DHS’ Bug Bounty Program Invites Vetted Researchers to Find Security Flaws before Threat Actors Do

The US Department of Homeland Security (DHS) has launched a bug bounty program in a bid to find and fix any security weaknesses in its systems. In typical bug-bounty format, researchers will win cash prizes proportional to the severity of the bugs found.

Piloted in 2019 as a result of provisions authored by several US senators, ‘Hack DHS’ seeks to “identify potential cybersecurity vulnerabilities within certain DHS systems and increase the Department’s cybersecurity resilience,” according to the fed’s announcement.

Cybersecurity is one of the DHS’s primary objectives, alongside other national threats like terrorism, border security, and disaster prevention. So Hack DHS only invites “vetted cybersecurity researchers to access select external systems [and] identify vulnerabilities that could be exploited by bad actors so they can be patched.”

“These hackers will be rewarded with payments (‘bounties’) for the bugs they identify […] The bounty for identifying each bug is determined by using a sliding scale, with hackers earning the highest bounties for identifying the most severe bugs,” it clarifies.

The announcement doesn't state actual prize sums. Typical bounties awarded in programs run by companies such as Google, Mozilla and Microsoft range from hundreds of dollars for mild bugs to tens of thousands for critical ones.

In the upcoming DHS program, white hat hackers will use a proprietary platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA), with its own rules of engagement, management and monitoring by the DHS Office of the Chief Information Officer, according to the press release.

Researchers will disclose their findings to designated system owners and leaders, “including what the vulnerability is, how they exploited it, and how it might allow other actors to access information.”

In other words, participating hackers must offer a working proof of concept (PoC) for each vulnerability they uncover – again, typical of a bug bounty format.

‘Hack DHS’ is a three-phase program, unfolding across fiscal year 2022 as follows:

1. Researchers will conduct virtual assessments on certain DHS external systems

2. Participants will then chime in during a live, in-person hacking event

3. And finally, DHS will identify and review lessons learned, and plan for future bug bounties

The stated goal of phase 3 is to “develop a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience.”