The United States' Department of Homeland Security (DHS) has announced a new bug bounty programs. Entitled "Hack DHS," the program is set up like many other bug bounty programs. White-hat hackers are encouraged to target systems specified by the DHS, namely external systems, and try to find vulnerabilities within them. The idea is to fix vulnerabilities before they are exploited, and additionally, offer financial compensation to the bug hunters.
The notice on the DHS press releases page stated the following about how Hack DHS will happen and when it begins:
"Hack DHS will occur in three phases throughout Fiscal Year 2022, with the goal of developing a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience. During phase one, hackers will conduct virtual assessments on certain DHS external systems. During the second phase, hackers will participate in a live, in-person hacking event. During the third and final phase, DHS will identify and review lessons learned, and plan for future bug bounties."
As with many programs of this kind, there is a sliding scale of pay based on severity. The more critical a vulnerability is, the more pay for the individual who discovered it. As is acknowledged in the press release, the Hack DHS program is building on the framework set by prior government initiatives. Most notable of these would be the "Hack the Pentagon" program that occurred some time ago.
According to the news post, a pilot program was setup in 2019 after upon the passing of the SECURE Technology Act, which was authored by Senator Maggie Hassan (D-N.H.), Senator Rob Portman (R-Ohio), Rep. Ted Lieu (D-Calif.), and Rep. Scott Taylor (R-Va.).
Most bug bounty programs, whether in the public or private sectors, tend to yield positive results. While it is too early to tell if Hack DHS will be a success, history suggests it probably will.
Featured image: Flickr/U.S. Department of Homeland Security