The Department of Homeland Security (DHS) announced today that it is launching a new edition of its Hack DHS program – a bug bounty program started in 2019 – to identify potential cybersecurity vulnerabilities within certain DHS systems.
Hack DHS invites vetted cybersecurity researchers to access select external DHS systems and identify vulnerabilities that could be exploited by bad actors. The aim is to get newly found vulnerabilities patch, and give bounty payments to hackers for the identified bugs.
“As the Federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said agency Secretary Alejandro Mayorkas. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity.”
The Hack DHS program will take place in three phases over the course of fiscal year (FY) 2022, aiming to develop a model that can be used by other organizations across every level of government to boost cyber resilience.
Phase one will be composed of hackers conducting virtual assessments on certain DHS external systems; the second phase will see hackers participating in a live, in-person hacking event; and the third and final phase will see DHS identify and review lessons learned and a plan for future bug bounties.
“Hack DHS, which will leverage a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA), will be governed by several rules of engagement and monitored by the DHS Office of the CIO,” the agency said in a statement. “Hackers will disclose their findings to DHS system owners and leadership, including what the vulnerability is, how they exploited it, and how it might allow other actors to access information.”