The outcome of a bug bounty program for the Department of Homeland Security (DHS) has been revealed, and it’s not particularly encouraging news for a government agency synonymous with cyber security.
Participants of DHS’ first-ever bug bounty program, named “Hack DHS,” confirmed that they found a worrying number of security bugs.
They discovered a total of 122 security vulnerabilities in external DHS systems, according to The Register and Bleeping Computer. Twenty-seven bugs were recognized as “critical severity” flaws.
The Hack DHS initiative saw more than 450 security researchers participate in the program. For their efforts, the government agency paid out a total reward of $125,600 that was distributed amongst the ethical hackers.
As aptly highlighted by The Register, the aforementioned payout figure pales in comparison to what other organizations pay to bug bounty hunters.
For example, Intel has previously offered up to $100,000 for successfully uncovering specific vulnerabilities.
Other technology giants like Microsoft offer 10s of thousands of dollars for finding flaws, while Apple paid a single individual nearly the entirety of the Hack DHS bounty by giving him $100,000 for hacking a Mac.
Google, meanwhile, has awarded nearly $30 million to individuals enrolled in its own bug bounty programs. In one particular case, the company gave a self-taught teenage hacker $36,000 for reporting a certain bug.
Considering the fact that one of the Department of Homeland Security’s key responsibilities involves cyber security, many may understandably be concerned that such a high amount of security bugs were found in the first place. Moreover, the somewhat lackluster payment tiers associated with Hack DHS could be a potential deterrent to future interested parties.
All things considered, it seems the DHS is not as secure as many Americans would have hoped it would be.
Homeland Security’s quest to become more secure
Hack DHS was originally introduced in December 2021. Any hacker who joined the program would have to provide a comprehensive breakdown of any vulnerability they find. They also have to detail how that flaw can be targeted and exploited by potential threat actors, as well as explain how it can be specifically utilized to access and extract data from DHS systems.
Once these security defects are put through a verification process by “DHS security experts,” which takes 48 hours to analyze after a bug is detected and submitted, they are generally patched within 15 days or so. In some cases, it takes the government agency longer than half a month to fix the more intricate flaws.
The government agency’s bug bounty program will be conducted via a tiered rollout consisting of three stages. The first phase, payouts, has been completed, while the upcoming second stage will see security researchers hand-picked by the DHS taking part in a live hacking event.
As for the final phase, The Register reports that DHS will share information that it hopes will influence additional bug bounty programs.
The popularity of bug bounty programs is increasingly becoming more prominent in an era where cybercriminals have been intensifying their attempts to infiltrate major companies, especially in the technology space.
For example, Intel unveiled Project Circuit Breaker, an expansion to its bug bounty program that was introduced to recruit “elite hackers.” Google also updated its Vulnerability Reward Program last year by launching a new bug platform.
Elsewhere, Google recently confirmed that a record number of dangerous zero-day exploits were identified in 2021, while cybercrimes are more widespread than ever before.
