DHS announces bug bounty program to hunt down cyber vulnerabilities

The Department of Homeland Security (DHS) on Tuesday announced a new bug bounty program meant to help tackle cyber vulnerabilities in the agency. 

The Hack DHS program will allow vetted cybersecurity experts to hunt through some external DHS systems for vulnerabilities and be paid by the department if they find any, enabling DHS to strengthen its systems against attacks. 

The program will occur in three phases across the next fiscal year, with the first phase involving virtual assessments of DHS networks, the second a live hacking event and the third phase involving DHS evaluating the findings. 


“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” Homeland Security Secretary Alejandro MayorkasAlejandro MayorkasDemocrats call on Biden administration to ease entry to US for at-risk Afghans A review of President Biden's first year on border policy  Rift grows between Biden and immigration advocates MORE said in a statement Tuesday. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity.” 

Mayorkas announced the program during a speech at the Bloomberg Technology Summit on Tuesday. He highlighted the need to step up cybersecurity protections, warning that ransomware attacks on critical organizations had not decreased in the past year. 

“I would be so excited to be able to answer that question in the affirmative and say yes, but I don’t think we’re there yet,” Mayorkas said at the summit when questioned about if attacks had gone down. “You correctly note that the amount of ransomware attacks really exploded, a 300 percent increase quite frankly ... I think that we cannot be in the position of relaxing our focus.”

DHS first established a bug bounty program in 2019, and the Department of Defense has run the Hack the Pentagon program since 2016, which was the government's first bug bounty program. According to the U.S. Digital Service, the Hack the Pentagon program has discovered more than 7,000 vulnerabilities within Pentagon systems. 

The program was rolled out after a difficult year of cyberattacks that included the SolarWinds hack, which allowed Russian government-backed hackers to breach the networks of at least nine federal agencies for most of 2020, including DHS.