‘Hack DHS’ Bug Bounty Program to Begin Second Phase with New Contract Request

The Department of Homeland Security has issued a solicitation for companies to provide crowdsourced vulnerability assessment services—including for competitions and live events—for phase two of the agency’s “Hack DHS” bug bounty program. 

The request for proposals says that the contract “will be used to conduct crowdsourced vulnerability discovery and disclosure activities across the full range of networks, systems and information, including web applications, software, source code, software-embedded devices and other technologies as solicited across the whole Department of Homeland Security, or other assets as deemed appropriate by the program office.”

DHS established the “Hack DHS” bug bounty program following passage of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, or the SECURE Technology Act, in 2018. Under the law, DHS is required to establish a multi-year bug bounty program allowing eligible individuals, organizations and companies to receive compensation for identifying and reporting vulnerabilities in the agency’s systems. 

The agency announced in April that it has completed the first phase of its bug bounty program, in which 450 vetted security researchers identified 122 vulnerabilities in “select external DHS systems.” 27 of these vulnerabilities were considered “critical” by DHS. Researchers and ethical hackers who participated in the first phase of the program had the opportunity to receive up to $5,000 for identifying verified vulnerabilities, and DHS reported that it awarded a total of $125,600 to participants. 

Under the second phase of the program, researchers and ethical hackers will participate in live hacking events, while the third and final phase will allow DHS to identify and review the lessons learned from the program, as well as plan for additional bug bounty initiatives. 

The RFP calls for six time-boxed challenges and two continuous challenges during the first year of the contract, and then up to 12 time-boxed and five continuous challenges in the optional contract years. The contractors are also expected to conduct live, U.S.-based events with between 15 to 50 researchers, as…