Homeland Security Offers Hackers a Bounty to Find Bugs

(Bloomberg) -- The U.S. Department of Homeland Security announced a new program Tuesday in which the agency will pay outside hackers to find vulnerabilities in its computer systems, a type of incentive popular in the cybersecurity industry that is known as a “bug bounty.” 

DHS Secretary Alejandro Mayorkas unveiled his agency’s “Hack DHS” program at the Bloomberg Technology Summit. Unlike many bug bounties, which are open to anyone, DHS said in a statement that its program would include only “vetted cybersecurity researchers who have been invited to access select external DHS systems.” Any vulnerabilities they find would then be fixed, and the researchers would be rewarded with financial prizes.  

“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” Mayorkas said in the statement.  “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”

Once a novelty, hundreds of organizations around the world now have bug bounty programs, according to a list maintained by Bugcrowd, a San Francisco-based company that helps manage them. Such programs allow companies to better secure their products and cybersecurity researchers to make money from identifying weaknesses in companies’ technologies and networks.

Mayorkas said the agency would pay awards from $500 to $5,000 per verified vulnerability, amounts that put the highest potential payout from DHS at the lower end of the range of some similar programs run by large technology companies. Google, for example, said that in 2020 it paid $6.7 million in bug bounties, with the highest single award being $132,500.

DHS plans to verify any reported vulnerabilities within 48 hours and either remediate or develop a plan to remediate them within 15 days, Mayorkas said. “We’re really investing a great deal of money as well as attention and focus on this program,” he said.

Regarding ransomware attacks, which involve hackers locking victims’ computer systems and demanding payment to unlock them, Mayorkas said the agency saw a quadrupling in such incidents in early 2021 but that some of the most prolific hacking groups appear to have backed off for the time being. One reason may be the stepped-up responses by the U.S. and other countries to such attacks, which included a string of arrests announced in November against alleged members of a Russia-linked ransomware group commonly known as REvil or Sodinokibi and sanctions against cryptocurrency entities that are accused on enabling the hacks. 

“Some of the major players we haven’t seen as active as previously,” Mayorkas said. “That doesn’t mean that they’ve gone away, that we’ve defeated them. They very well might have hit the pause button. Vigilance has to remain at an incredibly high level.”

©2021 Bloomberg L.P.