Bug-Hunting Programs May Continue Indefinitely
The DHS plans as many as eight bug-hunting programs for the first year of the extended program and another 17 for the following year, according to a request for proposals looking for vendors to help the DHS stand up and manage an indefinite, ongoing program.
This follows what has been a considerable effort from the DOD over the past several years to gradually launch similar bounty efforts via its Hack the Pentagon program. The program already boasts considerable success, with 15 bounties held and more than 7,000 vulnerabilities found since its launch in 2016.
Recent efforts by the Pentagon have focused on its industrial base. In April, the DOD completed a yearlong hunt that found nearly 400 vulnerabilities among 41 companies.
A newer, weeklong hunt wrapped on July 11, with $110,000 allocated to find new vulnerabilities. That program offered an average of $500 to $1,000 for discoveries, with a special $3,000 award for the best army.mil finding.
Both programs are being co-hosted by HackerOne, a white-hat ethical hacking group.