Tag Archive for: bounty

Homeland Security bug bounty reveals huge number of flaws

/in


The outcome of a bug bounty program for the Department of Homeland Security (DHS) has been revealed, and it’s not particularly encouraging news for a government agency synonymous with cyber security.

Participants of DHS’ first-ever bug bounty program, named “Hack DHS,” confirmed that they found a worrying number of security bugs.

A large monitor displaying a security hacking breach warning.
Stock Depot/Getty Images

They discovered a total of 122 security vulnerabilities in external DHS systems, according to The Register and Bleeping Computer. Twenty-seven bugs were recognized as “critical severity” flaws.

The Hack DHS initiative saw more than 450 security researchers participate in the program. For their efforts, the government agency paid out a total reward of $125,600 that was distributed amongst the ethical hackers.

As aptly highlighted by The Register, the aforementioned payout figure pales in comparison to what other organizations pay to bug bounty hunters.

For example, Intel has previously offered up to $100,000 for successfully uncovering specific vulnerabilities.

Other technology giants like Microsoft offer 10s of thousands of dollars for finding flaws, while Apple paid a single individual nearly the entirety of the Hack DHS bounty by giving him $100,000 for hacking a Mac.

Google, meanwhile, has awarded nearly $30 million to individuals enrolled in its own bug bounty programs. In one particular case, the company gave a self-taught teenage hacker $36,000 for reporting a certain bug.

Considering the fact that one of the Department of Homeland Security’s key responsibilities involves cyber security, many may understandably be concerned that such a high amount of security bugs were found in the first place. Moreover, the somewhat lackluster payment tiers associated with Hack DHS could be a potential deterrent to future interested parties.

All things considered, it seems the DHS is not as secure as many Americans would have hoped it would be.

A physical lock placed on a keyboard to represent a locked keyboard.
piranka/Getty Images

Homeland Security’s quest to become more secure

Hack DHS was originally introduced in December 2021. Any hacker who joined the program would have to provide a comprehensive breakdown of any vulnerability they find. They also have to detail how that flaw can be…

Source…

‘Hack DHS’ Program Successfully Concludes First Bug Bounty Program

/in


Today, the Department of Homeland Security (DHS) announced the results of its first bug bounty program. Through the “Hack DHS” program, vetted cybersecurity researchers and ethical hackers are invited to identify potential cybersecurity vulnerabilities in select external DHS systems. In the first phase of this program, more than 450 vetted security researchers identified 122 vulnerabilities, of which 27 were determined to be critical. DHS awarded a total of $125,600 to participants for identifying these verified vulnerabilities. DHS was the first federal agency to expand its bug bounty program to find and report log4j vulnerabilities across all public-facing information system assets, which allowed the Department to identify and close vulnerabilities not surfaced through other means.

“Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Hack DHS underscores our Department’s commitment to lead by example and protect our nation’s networks and infrastructure from evolving cybersecurity threats.”

Hack DHS launched in December 2021 with the goal of developing a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience. During the second phase of this three-phase program, vetted cybersecurity researchers and ethical hackers will participate in a live, in-person hacking event.  During the third and final phase, DHS will identify lessons learned, including to inform future bug bounty programs.

“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” said DHS Chief Information Officer Eric Hysen. “We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses.”

To learn more about Hack DHS, please visit DHS.gov. Further, organizations of all sizes can visit CISA’s Shields Up webpage for resources and…

Source…

The US Puts a $10M Bounty on DarkSide Ransomware Hackers

/in


On Friday, the radical transparency group DDoSecrets released hundreds of hours of police helicopter surveillance footage. It’s unclear who originally obtained the data, or what that person’s motivations were, but the trove shows how extensive law enforcement’s eye-in-the-sky has become, and how high-fidelity its cameras are. Privacy advocates also say the incident underscores that authorities don’t do nearly enough to protect sensitive data, and have retention policies that are far too lax. 

In other aerial news: For the first time, intelligence officials say, a consumer drone likely attempted to disrupt the US power grid. The July 2020 incident took place at a power substation in Pennsylvania; a DJI Mavic 2 quadcopter outfitted with nylon ropes and copper wire seemed determined to cause a short circuit, but crash-landed on a nearby roof before it reached its apparent target. Security experts have warned about this possibility for years, and say that regulatory bodies haven’t moved quickly enough to mitigate the threat.

This week saw China’s new data privacy law go into effect, and the ramifications have already begun to play out. Yahoo! exited the country, citing an “increasingly challenging business and legal environment.” And while the regulations are some of the strictest in the world, the fact that the Chinese has tied them to national security interests—and continues to give itself extraordinary access to its citizens’ data—may inspire other countries to take a similarly aggressive posture. 

Cryptocurrency scammers used the popularity of the Netflix hit Squid Game to gin up interest, then pulled the rug on investors to the tune of over $3 million. The White House Market dark web bazaar shuttered earlier this month, but raised the bar for security measures during its brief reign. And if you’ve got iCloud+, here’s how to take advantage of all of the new security measures you can now access.

Finally, make sure you set aside a few minutes this weekend to dive into this tale of how a group of fed up parents built their own open source version of their school system’s app—only to have the city call the cops on them.

And there’s more! Each week we round up all the security…

Source…

HackerOne Extends Internet Bug Bounty Program To Include Open Source Bugs

/in



HackerOne has received sponsors from Facebook, TikTok, Shopify, and more for the extended Internet Bug Bounty (IBB) program scope.

Source…