Skip to content ↓ | Skip to navigation ↓

The United States Department of Homeland Security (DHS) is inviting security researchers to uncover vulnerabilities and hack into its systems, in an attempt to better protect itself from malicious attacks.

The DHS says that it is launching the “Hack DHS” bug bounty program to “identify potential cybersecurity vulnerabilities within certain DHS systems and increase the Department’s cybersecurity resilience.”

According to the DHS, whose Alejandro Mayorkas announced the initiative at the Bloomberg Technology Summit, “Hack DHS” will have three phases:

  1. Hackers will conduct virtual assessments on certain DHS external systems.
  2. Hackers will participate in a live, in-person hacking event.
  3. DHS will identify and review lessons learned, and plan for future bug bounties.

DHS Secretary Mayorkas said that between $500 and $5000 would be paid for each vulnerability uncovered, depending on the severity of the bug discovered. In order to be eligible for a reward, security researchers will have to disclose full details of the flaw with the DHS, including how it can be exploited, and how it could be used by a malicious hacker to steal information.

Of course, bug bounties are nothing new. Many private sector companies operate bug bounty programs to encourage responsible disclosure of vulnerabilities, and in recent years the likes of the US Army and Pentagon have offered financial rewards for pre-approved security researchers to participate in bug hunts.

And rather than reinvent the wheel, “Hack DHS” appears to be building on the foundations of such initiatives, ensuring that strong guidelines are put in place to prevent chaos ensuing.

Therefore, I would expect “Hack DHS” to follow in the footsteps of the “Hack the Pentagon” bug bounty which imposed the following rules:

  • You must have pre-registered and been approved to take part in the program.
  • You must be eligible to work in the United States.
  • You can’t be residing in a country currently under US trade sanctions. So, Syrian and North Korean hackers are not welcome!
  • You can’t be on the US Department of Treasury’s list of bad guys and organisations who have engaged in terrorism, drug trafficking and other crimes.
  • Every participant has to agree to undergo a background check.

In addition, the DHS will be putting tight parameters in place around what systems are within scope for the bug bounty, and about what types of vulnerabilities it is interested in receiving reports.

In the greater scheme of things, a maximum $5000 bounty is not tremendously generous, especially when companies to other bug-finding initiatives – but one imagines that some security researchers will appreciate the kudos they could receive for helping the DHS stamp out potentially highly-critical security holes in its systems.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.