DHS scales up bug bounty program

Getty Images - Matt Anderson Photography

Department of Homeland Security Secretary Alejandro Mayorkas announced a plan to pay vetted cybersecurity researchers between $500 and $5,000 for identifying cybersecurity vulnerabilities within agency systems.

The Department of Homeland Security has launched a new bug bounty program with the mission of recruiting internet hackers to join forces with the federal government in identifying potential cyber vulnerabilities in agency systems.

The new initiative, titled “Hack DHS,” was announced on Tuesday by DHS Secretary Alejandro Mayorkas, who said participating security researchers will be paid anywhere from $500 to $5,000 "depending on the gravity of the vulnerability" they discover.

“What we are very focused on is identifying vulnerabilities and addressing or remediating those vulnerabilities,” Mayorkas said at the Bloomberg Technology Summit. “We're really investing a great deal of money as well as attention and focus on this program.”

News of the program comes as cybersecurity professionals across the public and private sectors are scrambling to patch a vulnerability in a widely used piece of application logging software called Log4j, which allows hackers to easily access unpatched systems. Many enterprise systems have dependencies on the Java-based code and identifying and remediating the vulnerability is proving to be a slog.

“To be clear, this vulnerability poses a severe risk, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency at DHS, said in a statement on Saturday. “We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”

Bug bounty programs and similar efforts have emerged as one way for public and private entities to address verifiable software vulnerabilities with the help of outside researchers and cyber experts. Hundreds of companies have launched their own bounty programs: Amazon's vulnerability research program offers minimum bounties of $100, while Google reportedly paid $6.7 million in bug bounties last year alone.

The Department of Defense has run bug bounty programs on public-facing systems going back to 2016. The General Services Administration (GSA) has a program which offers a sliding scale bounty of $150 to $5,000 for verifiable vulnerabilities. DHS piloted its own effort in 2019 after the passage of a bipartisan bill authorizing bug bounty programs at the agency.

“I am pleased that following the success of our bug bounty pilot program, [DHS] has decided to make this program a permanent part of its cybersecurity strategy,” said Sen. Maggie Hassan (D-N.H.), one of the sponsors of the original bug bounty legislation.

DHS said it will verify any identified vulnerabilities discovered through the program within 48 hours, then remediate those known vulnerabilities or develop remediation plans within 15 days. The sliding scale for bounty rewards will depend on the significance of the threat and the impact it would cause, according to Mayorkas.

Mayorkas said one of the major goals for “Hack DHS” is to create a bug bounty program that can serve as a model for any government agency seeking to improve its own cybersecurity resilience.

“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” Mayorkas said in a statement.