US Department of Homeland Security’s Hack DHS Program offers $5,000 Bug Bounties

Listen to this article

The US DHS (Department of Homeland Security) has announced that the department is offering up to $5,000 bug bounties under a new program called Hack DHS. Vetted security researchers invited by the agency will get access to select external DHS systems to identify vulnerabilities that could be exploited by bad actors. However, payments will vary between $500 and $5,000 depending on the severity of the bug. The DHS Secretary Alejandro N. Mayorkas said, “DHS must lead by example and constantly seek to strengthen the security of our own systems as the federal government’s cybersecurity quarterback. The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors”.

Moreover, the program will roll out in 3 phases, with hackers first doing virtual assessments of systems. It will be followed by a live in-person hacking event for the second phase. Mayorkas added, “The DHS will “identify and review lessons learned, and plan for future bug bounties in the third phase. Some of the major players we haven’t seen as active as previously. That doesn’t mean that they’ve gone away, that we’ve defeated them. They very well might have hit the pause button. Vigilance has to remain at an incredibly high level”. The program will use a platform developed by the Cybersecurity and the CISA (Infrastructure Security Agency) and monitored by the DHS Office of the Chief Information Officer.

However, the private industry generally offers much higher bug bounties with companies like Microsoft and Apple offering payouts as high as $1 million. Although, the Hack DHS isn’t an open bounty program so it’s limited to a smaller pool of researchers. The DHS also said that attacks against it were up fourfold in 2021 but that some of the most dangerous groups have slowed down. Mayorkas delivered his words at Bloomberg’s Technology Summit and said, “Some of the major players we haven’t seen as active as previously. That doesn’t mean that they’ve gone away, that we’ve defeated them. They very well might have hit the pause button. Vigilance has to remain at an incredibly high level”. This department will verify any bugs within 48 hours and either fix them or develop a plan to do so within 15 days.