Following a successful pilot program, the Department of Homeland Security has begun a permanent “Hack DHS” program that allows vetted cybersecurity researchers to probe department networks for potential cybersecurity vulnerabilities that can be exploited by bad actors.
The bug bounty program was initially authorized by Congress as a pilot in 2018 and creates incentives for hackers on a sliding scale depending on the severity of the network flaws they discover.
“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” Homeland Security Secretary Alejandro Mayorkas said in a statement on Tuesday. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the department is partnering with the community to help protect our nation’s cybersecurity.”
The new program will build in three phases during fiscal year 2022. In the first phase, hackers will virtually assess certain parts of the department’s external systems. In phase two, hackers will participate in a live, in-person hacking event and in the third phase the department will review lessons learned for future bug bounties.
Hack DHS will leverage a platform created by the DHS Cybersecurity and Infrastructure Security Agency and be monitored by the DHS chief information officer for compliance with specified rules of engagement. Vulnerabilities will be disclosed to DHS system owners and leadership along with how they were exploited.
The DHS program builds on an existing bug bounty program run by the Department of Defense.
“At a time when cyber threats are on the rise, I’m pleased that DHS is making permanent the bug bounty program I created with Senator [Maggie] Hassan (D-N.H.), to ensure our federal government is better prepared to protect itself,” Sen. Rob Portman (R-Ohio), ranking member on the Senate Homeland Security and Governmental Affairs Committee, said in a statement. “Our bipartisan law ensures that the federal government draws upon the vast expertise of hackers and security experts in our country to identify vulnerabilities and report them to people in positions to fix those flaws in our systems.”