‘Hack DHS’ Program Identifies 122 Vulnerabilities Across Networks

On Monday, the Department of Homeland Security announced 450 researchers working in its first-ever “Hack the DHS” bug bounty program identified at least 122 vulnerabilities, 27 of which were considered “critical.”

Launched in December, the program had vetted security researchers and ethical hackers probe select external DHS systems for vulnerabilities, with the potential to receive up to $5,000 for their finds. According to DHS, the agency awarded $125,600 to researchers in the first of what will be a three-phase program that aims to better inform federal agencies and other public sector organizations about the pros and cons of bug bounty programs.

“Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity,”

Secretary of Homeland Security Alejandro N. Mayorkas said in a statement.

“Hack DHS underscores our department’s commitment to lead by example and protect our nation’s networks and infrastructure from evolving cybersecurity threats.”

The bug bounty concept was first used broadly in the U.S. government by the Defense Department, and in recent years, Congress has pressed civilian agencies to find ways to incorporate it, too. In the second phase of the program, ethical hackers will participate in a live, in-person hacking event, according to DHS. During the third phase, DHS will identify lessons learned that could inform future bug bounty programs in government.

“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,”

DHS Chief Information Officer Eric Hysen said in a statement.

“We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses.”