All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of April 25, 2022. I’ve also included some comments on these stories.

Homeland Security bug bounty program uncovers 122 holes in its systems

The first bug bounty program by America’s Department of Homeland Security has led to the discovery and disclosure of 122 vulnerabilities, 27 of which were deemed critical, states The Register. In total, more than 450 security researchers participated in the Hack DHS program and identified weaknesses in “select” external Dept of Homeland Security (DHS) systems.

DYLAN D’SILVA | Security Researcher at Tripwire

An interesting and proactive take on pen-testing, vulnerability management and bug bounty programs. It’s great to see an organization “walk the talk” and publicly disclose that through their new program, properly vetted Security Researchers were able to identify 122 vulnerabilities with the Department of Homeland Security’s systems, with 27 of those being deemed critical.

For those who are unfamiliar with what a bug bounty program is, most large technology companies offer a program where individuals who find and responsibly disclose bugs (especially ones that relate to security exploits and vulnerabilities) found in software are rewarded with recognition and compensation. Google, Apple, Microsoft, Facebook, Yahoo, Reddit, Square/Block all offer private bug bounty programs that can be quite lucrative for researchers. Apple recently paid $100K to one researcher who discovered 4 flaws related to a webcam hack (see my comments here).

Digging into the article a bit further, it looks like this is modeled after the DoD’s “Hack the Pentagon” program, and broken into three phases:

  1. Find and remediate vulnerabilities with payouts
  2. Participate in a live in-person hacking event
  3. Identify lessons (Read more...)