The US Department of Homeland Security‘s (DHS) first bug bounty with outside researchers called “Hack DHS” helped discover 122 vulnerabilities.
DHS announced the DHS Hack Bounty in December and invited more than 450 “certified security researchers” to participate in phase one of the program. DHS suggests that the program produced solid results: 27, or about 22%, of the 122 vulnerabilities found by the participants were rated “critical.”
DHS offered participants between $500 and $5,000 per discovered vulnerability and awarded a total of $125,600 for verified vulnerabilities. It was the first federal agency to change its bug bounty program to include Log4J bugs in all public information system assets. This made it possible to identify and close vulnerabilities that hadn’t surfaced through means other than bounty, DHS said. It doesn’t say how many of the bugs were Log4J-related or how many of the identified bugs were eligible for the $5,000 bounty.
This bug bounty invited approved hackers to conduct a virtual assessment on select DHS systems. It completes the first of the three phases of the DHS program. In the second phase, security researchers will be invited to participate in a live on-site hacking event, while the third phase will be used by DHS to gather insights that inform future bug bounty programs.
CISA created the bug bounty platform used by Hack DHS, while the DHS Office of the Chief Information Officer (CIO) governed and oversaw the rules of engagement.
“The enthusiastic participation of the security research community during the first phase of Hack DHS enabled us to find and fix critical vulnerabilities before they could be exploited,” said Eric Hysen, CIO of DHS.
“We look forward to further strengthening our relationship with the research community as Hack DHS advances.”
Hack DHS follows similar rewards programs like Hack the Pentagon, a unique program launched in 2016 that helped uncover 100 vulnerabilities in various Department of Defense assets. Related bug bounty efforts by the Department of Defense, Air Force, and Army followed.