Homeland Security launches ‘Hack DHS’ bug bounty program
Indianapolis - Circa August 2018: Logo and seal of the United States Department of Homeland Security. DHS runs Immigration and Customs Enforcement (ICE) I
Martin Matishak December 14, 2021

Homeland Security launches ‘Hack DHS’ bug bounty program

Martin Matishak

December 14, 2021

Homeland Security launches ‘Hack DHS’ bug bounty program

The Homeland Security Department has launched a bug bounty program that will allow hackers to report vulnerabilities in its systems in exchange for monetary prizes, the agency’s chief announced on Tuesday.

“We’re focused not only on protecting and enhancing the cybersecurity of the private sector and of the federal government writ large, but of course, we as a department have to lead by example,” Homeland Security Secretary Alejandro Mayorkas said during an appearance at the Bloomberg Technology Summit.

The effort, dubbed “Hack DHS,” will pay hackers between $500 and $5,000 for each flaw that is uncovered “depending on the gravity of the vulnerability,” he added. 

A fixture in Silicon Valley and the private sector, bug bounty programs failed to gain traction inside Washington until the Defense Department launched the federal government’s first one in 2016.

“Hack the Pentagon” found nearly 140 previously unidentified vulnerabilities on some of the department’s websites and was quickly copied by the military branches. 

The Pentagon’s success prompted congressional lawmakers to try to replicate it at other federal agencies, including the State Department. DHS established its first bug bounty pilot program in 2019 after a bipartisan bill was signed into law by former President Donald Trump.

In separate statements, the bill’s co-sponsors — Sen. Rob Portman (Ohio), the top Republican on the Senate Homeland Security Committee, and Sen. Maggie Hassan (D-N.H.), who chairs the panel’s emerging threat subcommittee — said they were “pleased” DHS is making the bug bounty program permanent.

The effort will “ensure our federal government is better prepared to protect itself,” according to Portman.

Hassan said it is “imperative” that DHS systems can withstand cyberattacks.

In a statement, DHS said the bounty program would run in three phases throughout fiscal year 2022.

In phase one, hackers will perform “virtual assessments on certain DHS external systems.” The next phase will have participants take part in a live, in-person hacking event. The department will identify and review lessons learned and plan for potential future bug bounties in the final phase.

The program will run on a platform created by the Cybersecurity and Infrastructure Security Agency (CISA) and will be governed by several rules of engagement and monitored by the DHS Office of the Chief Information Officer, according to the department. DHS will verify any reported weaknesses within 48 hours.

Mayorkas said the program’s future would be “up to a new administration.”

“We’re going to see what we learn from it, what values we draw from it, and if, in fact, the value proposition so warrants, we will continue the program for as long as we can,” he said.

Martin is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.