'Hack DHS' bug hunters find 122 security flaws in DHS systems

The Department of Homeland Security (DHS) today revealed that bug bounty hunters enrolled in its 'Hack DHS' bug bounty program have found 122 security vulnerabilities in external DHS systems, 27 of them rated critical severity.

DHS awarded a total of $125,600 to over 450 vetted security researchers and ethical hackers, with rewards of up to $5,000 per bug, depending on the flaw's severity.

"The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited," said DHS Chief Information Officer Eric Hysen.

"We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses."

The 'Hack DHS' program builds upon the experience of similar efforts across the US federal government (e.g., the 'Hack the Pentagon' program) and the private sector.

DHS launched its first bug bounty pilot program in 2019, two years before 'Hack DHS,' after the SECURE Technology Act was signed into law, requiring the establishment of a security vulnerability disclosure policy and a bounty program.

Launched to develop a model for other govt organizations

The 'Hack DHS' bug bounty program was announced in December 2021. It requires the hackers to disclose their findings together with detailed information on the vulnerability, how it can be exploited, and how it can be used to gain access to data DHS systems.

All reported security flaws are then verified by DHS security experts within 48 hours and are fixed in 15 days or more, depending on the bug's complexity.

One week after the launch, the DHS expanded the scope of the 'Hack DHS' bounty program to allow researchers to track down DHS systems impacted by Log4j-related vulnerabilities.

The decision to expand the program came on the heels of a CISA emergency directive ordering Federal Civilian Executive Branch agencies to patch their systems against the critical Log4Shell bug until December 23.

"Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity," added Secretary of Homeland Security Alejandro N. Mayorkas.

"Hack DHS underscores our Department's commitment to lead by example and protect our nation's networks and infrastructure from evolving cybersecurity threats."