Under the Hack DHS program, vetted cybersecurity researchers will be allowed to access select external DHS systems to search for bugs that bad actors could exploit. Hackers will be rewarded with payments for the bugs they identify. The end goal is to develop a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience.
There’s a side benefit of the initiative for government focused MSSPs: Potential engagements to provide additional expertise if needed to address vulnerabilities the hackers discover.
The program has three phases to it. Here’s how it will work:
- Phase 1: Hackers will conduct virtual assessments on certain DHS external systems.
- Phase 2: Hackers will participate in a live, in-person hacking event.
- Phase 3: DHS will identify and review lessons learned, and plan for future bug bounties.
Hackers will disclose their findings to DHS system owners and leadership, including the nature of the vulnerability, how it has been exploited, and how it might allow other actors to access information. The bounty for identifying each bug is determined by using a sliding scale, with hackers earning the highest bounties for identifying the most severe bugs.
Hack DHS leverages a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA). It will be governed by several rules of engagement and monitored by the DHS Office of the Chief Information Officer.
“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said Secretary Alejandro Mayorkas. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity.”
DHS established its first bug bounty pilot program in 2019 based on provisions in the SECURE Technology Act. The law permits DHS to compensate individuals chosen to evaluate the agency’s systems by mimicking hacker behavior.