Hack DHS: Homeland Security’s first bug bounty turns up 122 vulnerabilities

The US Department of Homeland Security (DHS)’s first bug bounty with external researchers called “Hack DHS” helped discover 122 vulnerabilities. 

DHS announced the Hack DHS bounty in December and in phase one of the program invited more than 450 “vetted security researchers” to get involved. DHS suggests the program produced solid results: 27 or about 22% of the 122 vulnerabilities participants found were deemed “critical”. 

DHS offered participants between $500 and $5,000 per discovered vulnerability and in total awarded $125,600 for verified security flaws. It was the first federal agency to amend its bug bounty program to include Log4J flaws across all public-facing information system assets. This allowed it to identify and close vulnerabilities not surfaced through other means besides the bounty, the DHS said. It doesn’t say how many of the flaws were related to Log4J or how many of the identified bugs were eligible for the $5,000 award.

This bug bounty invited approved hackers run a virtual assessment on select DHS systems. It concludes the first of DHS’ three phase program. The second phase invites security researchers to join a live, in-person hacking event, while the third phase will be used by DHS to collect lessons that inform future bug bounty programs. 

CISA created the bug bounty platform used by Hack DHS while the DHS Office of the Chief Information Officer (CIO) governed and monitored rules of engagement.    

“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” said DHS CIO Eric Hysen. 

“We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses.” 

Hack DHS follows similar bounty programs like “Hack the Pentagon,” a first-of-its-kind program launched in 2016 that helped uncover 100 vulnerabilities across various Defense Department assets. It followed related bug bounty efforts from the Department of Defense, Air Force, and Army.