Today, the Department of Homeland Security (DHS) announced the results of its first bug bounty program. Through the “Hack DHS” program, vetted cybersecurity researchers and ethical hackers are invited to identify potential cybersecurity vulnerabilities in select external DHS systems. In the first phase of this program, more than 450 vetted security researchers identified 122 vulnerabilities, of which 27 were determined to be critical. DHS awarded a total of $125,600 to participants for identifying these verified vulnerabilities. DHS was the first federal agency to expand its bug bounty program to find and report log4j vulnerabilities across all public-facing information system assets, which allowed the Department to identify and close vulnerabilities not surfaced through other means.
“Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Hack DHS underscores our Department’s commitment to lead by example and protect our nation’s networks and infrastructure from evolving cybersecurity threats.”
Hack DHS launched in December 2021 with the goal of developing a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience. During the second phase of this three-phase program, vetted cybersecurity researchers and ethical hackers will participate in a live, in-person hacking event. During the third and final phase, DHS will identify lessons learned, including to inform future bug bounty programs.
“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” said DHS Chief Information Officer Eric Hysen. “We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses.”