Aug 22 2022

Bug Hunters Wanted: Bounty Programs Prove Fruitful for DHS, DOD

DHS wants vendors to help plan as many as eight ethical hacking programs for the effort’s second phase.

After a variety of successful bug-hunting pilot programs, the Department of Defense and the Department of Homeland Security are boosting efforts to find and fix bugs throughout their digital infrastructure.

Launched in December 2021, the first phase of the Hack DHS program found more than 122 vulnerabilities, 27 that were critical. DHS awarded $125,000 to participants who found the bugs.

“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” DHS CIO Eric Hysen said in a release announcing the completion of phase one.

Click the banner below to receive customized content by becoming an Insider.

Bug-Hunting Programs May Continue Indefinitely

The DHS plans as many as eight bug-hunting programs for the first year of the extended program and another 17 for the following year, according to a request for proposals looking for vendors to help the DHS stand up and manage an indefinite, ongoing program.

This follows what has been a considerable effort from the DOD over the past several years to gradually launch similar bounty efforts via its Hack the Pentagon program. The program already boasts considerable success, with 15 bounties held and more than 7,000 vulnerabilities found since its launch in 2016.

EXPLORE: How you can modernize your security with today’s tape innovations.

Recent efforts by the Pentagon have focused on its industrial base. In April, the DOD completed a yearlong hunt that found nearly 400 vulnerabilities among 41 companies.

A newer, weeklong hunt wrapped on July 11, with $110,000 allocated to find new vulnerabilities. That program offered an average of $500 to $1,000 for discoveries, with a special $3,000 award for the best army.mil finding.

Both programs are being co-hosted by HackerOne, a white-hat ethical hacking group. 

TU IS/Getty Images

aaa 1

Register