The Department of Homeland Security is launching a “bug bounty” program, potentially offering thousands of dollars to hackers who help the department identify cybersecurity vulnerabilities within its systems.
DHS will pay between $500 and $5,000 depending on the gravity of the vulnerability and the impact of the remediation, Homeland Security Secretary Alejandro Mayorkas announced Tuesday.
“It’s a scalable amount of money but we consider that quite significant,” he said, speaking at the Bloomberg Technology Summit. “We’re really investing a great deal of money, as well as attention and focus, on this program.”
Hackers will earn the highest bounties for identifying the most severe bugs, DHS said.
The announcement comes a day after senior Biden administration cyber officials warned that hackersare exploiting a newly revealed software vulnerability.
The vulnerability is in Java-based software known as “Log4j” that large organizations, including some of the world’s biggest tech firms, use to configure their applications.
Jen Easterly, director of the DHS Cybersecurity and Infrastructure Security Agency, said the “vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” during a call with executives from major US industries Monday.
As part of the “Hack DHS program,” the department will verify the vulnerability within 48 hours and either remediate it within 15 days or, if required, develop a plan for remediation within a 15-day period, according to Mayorkas.
The program will be open to vetted cybersecurity researchers who have been invited to access select external DHS systems.
“Hack DHS” will be carried out in three phases. First, hackers will conduct virtual assessments, which will be followed by a live, in-person hacking event. During the third phase, DHS will identify and review lessons learned and plan for future bug bounties, according to the department.
Asked whether this program will last into future administrations, Mayorkas said that if it proves valuable, “we will continue the program for as long as we can.”
Katie Moussouris, CEO and founder of Luta Security, welcomed the move but raised concerns about the program’s timeline.
“It’s great that DHS is working with hackers and welcoming their findings; however, time-bound bug bounty programs do not deliver consistent security improvements,” she told CNN. “It’s time to mature government vulnerability disclosure and bug bounty programs towards measurable security outcomes.”
She also pointed out that bug bounties are meant to catch what internal security due diligence missed.
“I will be interested to see if this newest bug bounty reveals more complex bugs than typical low-hanging fruit normally found in bug bounties,” she added. The department ran a bug bounty pilot program in 2019, which stemmed from legislation that allows DHS to compensate hackers for evaluating department systems. It also build on similar efforts, like the Department of Defense’s “Hack the Pentagon” program.
Casey Ellis, founder and chief technology officer at Bugcrowd, a San Francisco-based cybersecurity firm that is working with DHS on the bug bounty program, said there are benefits to adding outside expertise to the department’s cybersecurity efforts.
“It takes an army of allies to outsmart an army of adversaries. Even with an internal team as resourced and smart as the DHS, adding the collective creative of the good-faith hacker community helps DHS level the playing field against the adversary.”
Bugcrowd has been advising a variety of government agencies for many years, including DHS, and will be the platform partner for this program.
Democratic Sen. Maggie Hassan of New Hampshire and Republican Sen. Rob Portman of Ohio, who helped draft the initial bug bounty legislation, praised the announcement.
“At a time when cyber threats are on the rise, I’m pleased that DHS is making permanent the bug bounty program I created with Senator Hassan to ensure our federal government is better prepared to protect itself,” Portman said in a statement.