"Hack DHS: Homeland Security’s First Bug Bounty Turns Up 122 Vulnerabilities"

"Hack DHS," the US Department of Homeland Security's (DHS) first bug bounty with external researchers, resulted in the discovery of 122 vulnerabilities, 27 or nearly 22 percent of which were found to be critical. The bug bounty involved over 450 vetted security researchers who were offered between $500 and $5,000 for each vulnerability they discovered. Approved participants were invited to run a virtual assessment on select DHS systems. DHS was the first federal agency to amend its bug bounty program to cover Log4J vulnerabilities across all public-facing information system assets, allowing it to identify and fix flaws that have not emerged through other means besides the bug bounty. DHS did not reveal how many of the discovered flaws were associated with Log4J or the number of identified bugs that were eligible for the $5,000 award. The first of DHS' three-phase program is complete. The second phase welcomes security researchers to participate in a live in-person hacking event, while the third phase will be used to collect findings that inform future bug bounty programs. The Cybersecurity and Infrastructure Security Agency (CISA) created the bug bounty platform used by Hack DHS, and the DHS Office of the Chief Information Officer (CIO) governed and monitored the rules of engagement. This article continues to discuss the results and structure of the Hack DHS program.  

ZDNet reports "Hack DHS: Homeland Security’s First Bug Bounty Turns Up 122 Vulnerabilities"