Today, the Department of Homeland Security (DHS) announced the launch of “Hack DHS,” a bug bounty program to identify potential cybersecurity vulnerabilities within certain DHS systems and increase the Department’s cybersecurity resilience. Through Hack DHS, vetted cybersecurity researchers who have been invited to access select external DHS systems (“hackers”) will identify vulnerabilities (“bugs”) that could be exploited by bad actors so they can be patched. These hackers will be rewarded with payments (“bounties”) for the bugs they identify.
“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said Secretary Alejandro N. Mayorkas. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity.”
Hack DHS will occur in three phases throughout Fiscal Year 2022, with the goal of developing a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience. During phase one, hackers will conduct virtual assessments on certain DHS external systems. During the second phase, hackers will participate in a live, in-person hacking event. During the third and final phase, DHS will identify and review lessons learned, and plan for future bug bounties.
Hack DHS, which will leverage a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA), will be governed by several rules of engagement and monitored by the DHS Office of the Chief Information Officer. Hackers will disclose their findings to DHS system owners and leadership, including what the vulnerability is, how they exploited it, and how it might allow other actors to access information. The bounty for identifying each bug is determined by using a sliding scale, with hackers earning the highest bounties for identifying the most severe bugs.
Hack DHS builds on the best practices learned from similar, widely implemented initiatives across the private sector and the federal government, such as the Department of Defense’s “Hack the Pentagon” program. DHS established its first bug bounty pilot program in 2019 as a result of provisions authored by Senator Maggie Hassan (D-N.H.), Senator Rob Portman (R-Ohio), Rep. Ted Lieu (D-Calif.), and Rep. Scott Taylor (R-Va.) that passed into law as part of the SECURE Technology Act. This law permits the Department to compensate individuals chosen to evaluate DHS systems by mimicking hacker behavior.