Ethical hacking

DHS Concludes First ‘Hack DHS’ Bug Bounty Event

The Department of Homeland Security has concluded its first “Hack DHS” three-phase bug bounty program, which involved more than 450 cybersecurity researchers and ethical hackers.

DHS said the first phase of the program led to the discovery of 122 vulnerabilities, including 27 deemed critical. A total of $125,600 was awarded to the researchers who identified the flaws, DHS said.

The second phase is a live, in-person hacking event among vetted cybersecurity researchers, while the final phase is dedicated to identifying lessons learned.

Secretary of Homeland Security Alejandro Mayorkas, a 2021 Wash100 awardee, said Hack DHS highlights the department’s commitment to keeping up with the escalating sophistication of cyber threats.

He added that organizations of all sizes, including DHS, must remain wary of cyber threats and must take steps to strengthen their posture.

DHS Chief Information Officer Eric Hysen said the department is looking forward to working with the cybersecurity community during future Hack DHS events.

The department said it launched the program in December 2021 to create a template that government organizations at all levels can use to build their cybersecurity programs.

Other federal agencies had previously launched bug bounty programs. In early 2021, the Department of Defense announced the expansion of its Vulnerability Disclosure Program, allowing ethical hackers to target the Pentagon’s publicly accessible information systems, frequency-based communications, internet of things devices, industrial control systems and others.

VDP was based on the DOD’s Hack the Pentagon program in 2016. In the same year, the Internal Revenue Service also launched its own bug bounty program in partnership with penetration testing company Synack.