'Hack DHS' Bug Bounty Program to Begin Second Phase with New Contract Request

pearleye/Getty Images

The contract is geared toward companies that can conduct crowdsourced events and competitions for vetted security researchers, to help bolster DHS’ cyber resilience.

The Department of Homeland Security has issued a solicitation for companies to provide crowdsourced vulnerability assessment services—including for competitions and live events—for phase two of the agency’s “Hack DHS” bug bounty program. 

The request for proposals says that the contract “will be used to conduct crowdsourced vulnerability discovery and disclosure activities across the full range of networks, systems and information, including web applications, software, source code, software-embedded devices and other technologies as solicited across the whole Department of Homeland Security, or other assets as deemed appropriate by the program office.”

DHS established the “Hack DHS” bug bounty program following passage of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, or the SECURE Technology Act, in 2018. Under the law, DHS is required to establish a multi-year bug bounty program allowing eligible individuals, organizations and companies to receive compensation for identifying and reporting vulnerabilities in the agency’s systems. 

The agency announced in April that it has completed the first phase of its bug bounty program, in which 450 vetted security researchers identified 122 vulnerabilities in “select external DHS systems.” 27 of these vulnerabilities were considered “critical” by DHS. Researchers and ethical hackers who participated in the first phase of the program had the opportunity to receive up to $5,000 for identifying verified vulnerabilities, and DHS reported that it awarded a total of $125,600 to participants. 

Under the second phase of the program, researchers and ethical hackers will participate in live hacking events, while the third and final phase will allow DHS to identify and review the lessons learned from the program, as well as plan for additional bug bounty initiatives. 

The RFP calls for six time-boxed challenges and two continuous challenges during the first year of the contract, and then up to 12 time-boxed and five continuous challenges in the optional contract years. The contractors are also expected to conduct live, U.S.-based events with between 15 to 50 researchers, as well as design competitions and “gamification” aspects for the events. 

The RFP says that the contractors are required to have “a pre-existing, security researcher community of over 1,000 domestic and international individual researchers with the knowledge, skills and abilities most applicable and valuable for the goals of the requirement.” 

DHS says it plans to award up to four indefinite-delivery, indefinite-quantity contracts through the RFP. The contracts will each cover a one-year base period, with four one-year optional add-ons. The cumulative ceiling for the contracts is roughly $43 million. Bids are due no later than August 15.

DHS’s bug bounty program follows in the footsteps of the Department of Defense’s “Hack the Pentagon” program, which was launched in 2016 as the first agency-wide initiative to use vetted researchers to scour computer systems for vulnerabilities. 

“The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors,” DHS Secretary Alejandro Mayorkas said in a statement announcing the launch of the agency’s bug bounty initiative last year. “This program is one example of how the department is partnering with the community to help protect our nation’s cybersecurity.”