The first bug bounty program organized by the US Department of Homeland Security has revealed a total of 122 vulnerabilities, 27 of which have been labeled critical. Last December, Homeland Security launched the “Hack DHS” program. The program consists of three phases. First, a model was developed that other government agencies can also use to strengthen their cyber resilience.
During this phase, approved hackers and researchers were able to remotely test certain remote systems of the Department of Homeland Security. This phase, in which more than 450 security researchers participated, has now been completed. Researchers received amounts of between $500 and $5,000 for their bug reports, depending on the impact of the vulnerability found. In total, more than $125,000 in rewards has been awarded.
Following the disclosure of the Log4j vulnerability, the Department decided to include this vulnerability as well, making it the first US government bug bounty program to reward researchers for Log4j vulnerabilities found in publicly available systems. Now that the first phase has been completed, phase two is planned. Hackers and researchers will get to work during a live hacking event. Finally, DHS will identify and evaluate lessons learned and plan for future bug bounty programs.