DHS announces 'Hack DHS' bug bounty program for vetted researchers

The Department of Homeland Security (DHS) has launched a new bug bounty program dubbed "Hack DHS" that allows vetted cybersecurity researchers to find and report security vulnerabilities in external DHS systems.

"As the federal government's cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems," said DHS Secretary Alejandro N. Mayorkas.

"The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation's cybersecurity."

The new bug bounty program will use a platform developed by the Cybersecurity and Infrastructure Security Agency (CISA) and will be monitored by the DHS Office of the Chief Information Officer.

Researchers who report security vulnerabilities as part of the Hack DHS program will be able to win monetary rewards of up to $5,000, depending on the flaw's severity.

Hackers enrolled in the program will be required to disclose their findings and detailed info on the vulnerability, how attackers can potentially exploit it, and how threat actors could use it to access information from DHS systems.

The DHS will verify all reported security flaws within 48 hours and fixed in 15 days or more, depending on the bugs' complexity.

Three-phase bug bounty program

Following next year's three Hack DHS phases, the U.S. federal executive department aims to develop a bug bounty model ready for use by other government organizations to boost their cybersecurity resilience.

"During phase one, hackers will conduct virtual assessments on certain DHS external systems," Homeland Security explained.

"During the second phase, hackers will participate in a live, in-person hacking event. During the third and final phase, DHS will identify and review lessons learned, and plan for future bug bounties."

The Hack DHS bug bounty program builds upon experience and practices from similar efforts across the federal government (e.g., the "Hack the Pentagon" program) and the private sector.

DHS launched its first bug bounty pilot program two years ago, in 2019, after the SECURE Technology Act (authored by Senator Maggie Hassan, Senator Rob Portman, Rep. Ted Lieu, and Rep. Scott Taylor) was passed into law to require the establishment of a security vulnerability disclosure policy and a bug bounty program.