Jump to content
  • 'Hack DHS' bug hunters find 122 security flaws in DHS systems


    Karlston

    • 506 views
    • 2 minutes
     Share


    • 506 views
    • 2 minutes

    The Department of Homeland Security (DHS) today revealed that bug bounty hunters enrolled in its 'Hack DHS' bug bounty program have found 122 security vulnerabilities in external DHS systems, 27 of them rated critical severity.

     

    DHS awarded a total of $125,600 to over 450 vetted security researchers and ethical hackers, with rewards of up to $5,000 per bug, depending on the flaw's severity.

     

    "The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited," said DHS Chief Information Officer Eric Hysen.

     

    "We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses."

     

    The 'Hack DHS' program builds upon the experience of similar efforts across the US federal government (e.g., the 'Hack the Pentagon' program) and the private sector.

     

    DHS launched its first bug bounty pilot program in 2019, two years before 'Hack DHS,' after the SECURE Technology Act was signed into law, requiring the establishment of a security vulnerability disclosure policy and a bounty program.

    Launched to develop a model for other govt organizations

    The 'Hack DHS' bug bounty program was announced in December 2021. It requires the hackers to disclose their findings together with detailed information on the vulnerability, how it can be exploited, and how it can be used to gain access to data DHS systems.

     

    All reported security flaws are then verified by DHS security experts within 48 hours and are fixed in 15 days or more, depending on the bug's complexity.

     

    One week after the launch, the DHS expanded the scope of the 'Hack DHS' bounty program to allow researchers to track down DHS systems impacted by Log4j-related vulnerabilities.

     

    The decision to expand the program came on the heels of a CISA emergency directive ordering Federal Civilian Executive Branch agencies to patch their systems against the critical Log4Shell bug until December 23.

     

    "Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity," added Secretary of Homeland Security Alejandro N. Mayorkas.

     

    "Hack DHS underscores our Department's commitment to lead by example and protect our nation's networks and infrastructure from evolving cybersecurity threats."

     

     

    'Hack DHS' bug hunters find 122 security flaws in DHS systems


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...