The United States Department of Homeland Security (DHS) is inviting security researchers to uncover vulnerabilities and hack into its systems, in an attempt to better protect itself from malicious attacks.

The DHS says that it is launching the “Hack DHS” bug bounty program to “identify potential cybersecurity vulnerabilities within certain DHS systems and increase the Department’s cybersecurity resilience.”

According to the DHS, whose Alejandro Mayorkas announced the initiative at the Bloomberg Technology Summit, “Hack DHS” will have three phases:

  1. Hackers will conduct virtual assessments on certain DHS external systems.
  2. Hackers will participate in a live, in-person hacking event.
  3. DHS will identify and review lessons learned, and plan for future bug bounties.

DHS Secretary Mayorkas said that between $500 and $5000 would be paid for each vulnerability uncovered, depending on the severity of the bug discovered. In order to be eligible for a reward, security researchers will have to disclose full details of the flaw with the DHS, including how it can be exploited, and how it could be used by a malicious hacker to steal information.

Of course, bug bounties are nothing new. Many private sector companies operate bug bounty programs to encourage responsible disclosure of vulnerabilities, and in recent years the likes of the US Army and Pentagon have offered financial rewards for pre-approved security researchers to participate in bug hunts.

And rather than reinvent the wheel, “Hack DHS” appears to be building on the foundations of such initiatives, ensuring that strong guidelines are put in place to prevent chaos ensuing.

Therefore, I would expect “Hack DHS” to follow in the footsteps of the “Hack the Pentagon” bug bounty which imposed the following rules:

  • You must have pre-registered and been approved to take part in the program.
  • You must be eligible to work in the United States.
  • You (Read more...)