The Department of Homeland Security’s (DHS) “Hack DHS” program has successfully completed its first bug bounty program and identified 122 vulnerabilities at the agency.
The first phase of the program saw more than 450 vetted security researchers identifying the 122 vulnerabilities. Among those vulnerabilities, 27 were determined to be “critical.” For their roles, DHS awarded each participant who identified the vulnerabilities $125,600.
“Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity,” Secretary of Homeland Security Alejandro N. Mayorkas said in a statement.
“Hack DHS underscores our Department’s commitment to lead by example and protect our nation’s networks and infrastructure from evolving cybersecurity threats,” Mayorkas added.
DHS is the first Federal agency to expand its bug bounty program for seeking out and reporting log4j vulnerabilities across all public-facing information system assets. This allows the agency to identify and close vulnerabilities – that haven’t surfaced – through other means.
The Hack DHS program was launched back in December 2021 with a goal of increasing cybersecurity resiliency. With the first phase of the program complete, Hack DHS will move to phase two of three phases, which is to have vetted cybersecurity researchers and ethical hackers participate in a live, in-person hacking event.
Phase three will see DHS identify lessons learned, including what lessons can be carried over to future bug bounty programs.
“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” DHS Chief Information Officer Eric Hysen said. “We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses.”
