DHS will pay between $500 and $5,000 depending on the gravity of the vulnerability and the impact of the remediation, Homeland Security Secretary Alejandro Mayorkas announced Tuesday.
“It’s a scalable amount of money but we consider that quite significant,” he said, speaking at the Bloomberg Technology Summit. “We’re really investing a great deal of money, as well as attention and focus, on this program.”
Hackers will earn the highest bounties for identifying the most severe bugs, DHS said.
Some private companies offer much higher bounties for uncovering vulnerabilities. For instance,
The announcement comes a day after senior Biden administration
“It’s great that DHS is working with hackers and welcoming their findings; however, time-bound bug bounty programs do not deliver consistent security improvements,” she told CNN. “It’s time to mature government vulnerability disclosure and bug bounty programs towards measurable security outcomes.”
She also pointed out that bug bounties are meant to catch what internal security due diligence missed.
“I will be interested to see if this newest bug bounty reveals more complex bugs than typical low-hanging fruit normally found in bug bounties,” she added. The department ran a bug bounty pilot program in 2019, which stemmed from legislation that allows DHS to compensate hackers for evaluating department systems. It also build on similar efforts, like the Department of Defense’s “Hack the Pentagon” program.
Casey Ellis, founder and chief technology officer at Bugcrowd, a San Francisco-based cybersecurity firm that is working with DHS on the bug bounty program, said there are benefits to adding outside expertise to the department’s cybersecurity efforts.
“It takes an army of allies to outsmart an army of adversaries. Even with an internal team as resourced and smart as the DHS, adding the collective creative of the good-faith hacker community helps DHS level the playing field against the adversary.”
Bugcrowd has been advising a variety of government agencies for many years, including DHS, and will be the platform partner for this program.
Democratic Sen. Maggie Hassan of New Hampshire and Republican Sen. Rob Portman of Ohio, who helped draft the initial bug bounty legislation, praised the announcement.
“At a time when cyber threats are on the rise, I’m pleased that DHS is making permanent the bug bounty program I created with Senator Hassan to ensure our federal government is better prepared to protect itself,” Portman said in a statement.
This story has been updated with more comments.