First phase of ‘Hack DHS’ finds over 120 vulnerabilities
Indianapolis - Circa August 2018: Logo and seal of the United States Department of Homeland Security. DHS runs Immigration and Customs Enforcement (ICE) I
Martin Matishak April 22, 2022

First phase of ‘Hack DHS’ finds over 120 vulnerabilities

First phase of ‘Hack DHS’ finds over 120 vulnerabilities

The initial leg of the Homeland Security Department’s first-ever bug bounty program uncovered more than 120 cybersecurity vulnerabilities in some of its external systems, the agency announced on Friday.

More than 450 vetted security researchers participated in the first phase of the “Hack DHS” effort and identified 122 weaknesses across its public-facing information systems, 27 of which were determined to be critical, according to a department news release. 

The bug bounty program — launched last December — was expanded to include vulnerabilities in its networks caused by Log4j software. DHS did not specify how many of the reported vulnerabilities were linked to the flaw, which sent the public and private sectors scrambling to defend their networks.

In all, the department awarded a total of $125,600 to the researchers who participated in the first portion of the program, it said.

“Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity,” DHS Secretary Alejandro Mayorkas said in a statement.

The effort “underscores our department’s commitment to lead by example and protect our nation’s networks and infrastructure from evolving cybersecurity threats,” he added.

The results could provide further vindication for the use of bug bounty programs through the federal government. Once abhorred in Washington, such efforts have gained traction in recent years — particularly at the Defense Department and within the military services — and prompted lawmakers to consider emulating them at other major agencies, like the State Department.

The DHS bounty program — operated on a platform created by the Cybersecurity and Infrastructure Security Agency (CISA) and monitored by the department’s chief information officer — will run in three phases throughout fiscal year 2022.

The second phase will see participants take part in a live, in-person hacking event. DHS will identify and review lessons learned and plan for potential future bug bounties in the final segment.

“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” DHS CIO Eric Hysen said in a statement. 

“We look forward to further strengthening our relationship with the researcher community as ‘Hack DHS’ progresses,” according to Hysen.

Martin is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.