The US Department of Homeland Security (DHS) is offering up to $5,000 bug bounties under a new program called Hack DHS, it announced. Vetted security researchers invited by the agency will get access to select external DHS systems to identify vulnerabilities that could be exploited by bad actors. Payments will vary between $500 and $5,000 depending on the severity of the bug.
"As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems," said DHS Secretary Alejandro N. Mayorkas. "The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors."
The program will roll out in three phases, with hackers first doing virtual assessments of systems. That will be followed by a live, in-person hacking event for the second phase, and in the third phase, the DHS will "identify and review lessons learned, and plan for future bug bounties," it wrote.
Some of the major players we haven’t seen as active as previously. That doesn’t mean that they’ve gone away, that we’ve defeated them. They very well might have hit the pause button. Vigilance has to remain at an incredibly high level.
The program will use a platform developed by the Cybersecurity and Infrastructure Security Agency (CISA) and monitored by the DHS Office of the Chief Information Officer. That department will verify any bugs within 48 hours and either fix them or develop a plan to do so within 15 days.
Private industry generally offers much higher bug bounties, with companies like Microsoft and Apple offering payouts as high as $1 million. However, Hack DHS isn't an open bounty program so it's limited to a smaller pool of researchers.
The DHS said that attacks against it were up fourfold in 2021 but that some of the most dangerous groups have slowed down. "Some of the major players we haven’t seen as active as previously," Mayorkas said at Bloomberg's Technology Summit. "That doesn’t mean that they’ve gone away, that we’ve defeated them. They very well might have hit the pause button. Vigilance has to remain at an incredibly high level."