Written by
Michael Gariffo, Staff Writer
Michael Gariffo
Staff Writer
Michael is a veteran technology writer who has been covering business and consumer-focused hardware and software for over a decade.
Full Bio
on December 15, 2021
| Topic: Security
The US Department of Homeland Security is launching its own bug bounty program to help find and correct gaps in its systems.
The new “Hack DHS” program was made official by Homeland Security Secretary Alejandro Mayorkas in a press release on the agency’s website after it was revealed at the recent Bloomberg Technology Summit and covered by The Record. The program promises to pay out between $500 and $5,000 to “vetted cybersecurity researchers who have been invited to access select external DISH systems.” The actual payout will be based on the severity of the specific vulnerability discovered.
As noted by DHS, this new bounty program builds on similar private-sector efforts and “Hack the Pentagon,” a first-of-its-kind program launched in 2016 that was ultimately responsible for identifying over 100 vulnerabilities across various Defense Department assets. The DHS itself created a similar pilot program in 2019 on the back of a bipartisan bill. It followed related efforts from the Department of Defense, Air Force, and Army.
“The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors,” Mayorkas noted.
The effort will include three phases that will run throughout FY 2022. In the first phase, hackers will be called on to conduct “virtual assessment” on select DHS systems. This will be followed by a “live, in-person hacking event” during phase two, and an identification and review process during the third and final phase.
The DHS noted that it will use the data collected during this process to both plan for future bug bounties, and to develop “a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience.”
Like previous government programs of a similar nature, this one will be governed by rules orchestrated by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), with all participants required to fully disclose any information that could be useful in mitigating and correcting the vulnerabilities they discover.
The hope for programs like this one is to privately discover and patch holes without relying on external security researchers or random discoverers to do the scrupulous thing and inform the vendor/agency before releasing a vulnerability into the wild. This effort appears particularly timely in a world where governments, businesses, and just about everyone that owns a computer continue to deal with the fallout from the very public disclosure and rapid exploitation of the Log4j vulnerability.
Featured
Log4j zero-day flaw: What you need to know and how to protect yourself
Covid testing: The best at-home rapid test kits
Your Windows 11 upgrade is ready. Should you do it?
Best tech products of 2021: ZDNet’s most recommended gadgets
Security TV
|
Data Management
|
CXO
|
Data Centers