Homeland Security bug bounty program uncovers 122 holes in its systems

The first bug bounty program by America's Homeland Security has led to the discovery and disclosure of 122 vulnerabilities, 27 of which were deemed critical.

In total, more than 450 security researchers participated in the Hack DHS program and identified weaknesses in "select" external Dept of Homeland Security (DHS) systems. At the end of the hack-a-thon, the department awarded these carefully vetted bug hunters $125,600 total for finding and disclosing the flaws, which is relatively cheap considering, for instance, Google has paid out millions for similar bugs. More cash is set to come from Homeland Security, we note.

"The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited," DHS Chief Information Officer Eric Hysen said in a statement. 

DHS did not immediately respond to The Register's questions about the bugs found and fixed through Hack DHS.

The department announced the program in December and modeled it after the Department of Defense's Hack the Pentagon as well as private bug bounty efforts, such as those run by Amazon, Microsoft, Google, and virtually every other major technology company.

Hack DHS followed a pilot bug bounty program that the department trialed in 2019 as part of the SECURE Technology Act. DHS also offered bounties for reports of Log4j vulnerabilities in any public-facing information system assets, which "allowed the department to identify and close vulnerabilities not surfaced through other means," the organization said in a statement.

• Microsoft ups bug bounties 30% for cloud lines, pays more for 'scenario-based' exploits
• Now Mandiant says 2021 was a record year for exploited zero-day security bugs
• Google tracked record 58 exploited-in-the-wild zero-day security holes in 2021
• Five Eyes nations fear wave of Russian attacks against critical infrastructure

The bug bounty program has three phases, all of which will be completed by the end of the year. The payouts signaled the end of the first phase. During the second phase, security researchers that have been vetted by the department will participate in a live, in-person hacking event. 

And in the third phase, DHS will identify lessons learned that can help share future bug bounty programs. The goal of Hack DHS is to create a model that can be used by other government organizations to improve their cybersecurity resilience.

"Hack DHS underscores our Department's commitment to lead by example and protect our nation's networks and infrastructure from evolving cybersecurity threats," Secretary of Homeland Security Alejandro Mayorkas said in a statement.

Cybercriminals are finding bugs, too

The DHS bug bounty awards come as two reports issued last week found actively exploited zero-day vulnerabilities hit an all-time high last year. 

Mandiant identified 80 such actively abused flaws in 2021, which the security shop's researcher James Sadowski noted is more than double the previous zero-day record from 2019.

Another zero-day report published last week by Google said miscreants exploited 58 zero-days. Meanwhile Microsoft recently said it will pay more — up to $26,000 more — for "high-impact" bugs in its Office 365 products via its bug bounty program.

The new "scenario-based" payouts to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program aim to incentivize bug hunters to focus on finding vulnerabilities with "the highest potential impact on customer privacy and security," according to the Redmond software goliath. ®