The Department of Homeland Security (DHS) announced today that bug bounty hunters enrolled in the ‘Hack DHS’ bug bounty program have found 122 vulnerabilities in remote DHS systems, 27 of which are of critical severity.
DHS awarded a total of $125,600 to more than 450 vetted security researchers and ethical hackers, with rewards of up to $5,000 per bug, depending on the severity of the flaw.
“The enthusiastic participation of the security research community during the first phase of Hack DHS enabled us to find and fix critical vulnerabilities before they could be exploited,” said DHS Chief Information Officer Eric Hysen.
“We look forward to further strengthening our relationship with the research community as Hack DHS progresses.”
The ‘Hack DHS’ program builds on the experience of similar efforts within the US federal government (eg, the ‘Hack the Pentagon’ program) and the private sector.
DHS launched its first bug bounty pilot program in 2019, two years before “Hack DHS,” after the SECURE Technology Act was signed into law, requiring the establishment of a security vulnerability disclosure policy and bounty program.
Launched to develop a model for other government organizations
The ‘Hack DHS’ bug bounty program was announced in December 2021. It requires the hackers to disclose their findings along with detailed information about the vulnerability, how it can be exploited and how it can be used to access DHS data. systems.
All reported security vulnerabilities are then verified by DHS security experts within 48 hours and fixed within 15 days or more, depending on the complexity of the bug.
A week after its launch, DHS expanded the scope of its ‘Hack DHS’ bounty program to allow researchers to track down DHS systems affected by Log4j-related vulnerabilities.
The decision to expand the program followed a CISA emergency directive that ordered the federal civilian executive to patch their systems against the critical Log4Shell bug until Dec. 23.
“Organizations of all sizes and in every industry, including federal agencies such as the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity,” added Secretary of Homeland Security Alejandro N. Mayorkas.
“Hack DHS underscores our department’s commitment to lead by example and protect our nation’s networks and infrastructure from evolving cybersecurity threats.”
This post ‘Hack DHS’ bug hunters find 122 security flaws in DHS systems
was original published at “https://www.bleepingcomputer.com/news/security/hack-dhs-bug-hunters-find-122-security-flaws-in-dhs-systems/”