Register now for better personalized quote!

New "Hack DHS" program will pay up to $5,000 for discovered vulnerabilities

Dec, 15, 2021 Hi-network.com

The US Department of Homeland Security is launching its own bug bounty program to help find and correct gaps in its systems. 

more Log4j

  • Log4j zero-day: How to protect yourself
  • Apache releases new 2.17.0 patch
  • Security firm discovers new attack vector
  • 10 questions you need to be asking
  • Governments release Log4j advisory
  • So far, nearly half of corporate networks have been attacked
  • US: Hundreds of millions of devices at risk

The new "Hack DHS" program was made official by Homeland Security Secretary Alejandro Mayorkas in a press release on the agency's website after it was revealed at the recent Bloomberg Technology Summit and covered by The Record. The program promises to pay out between$500 and$5,000 to "vetted cybersecurity researchers who have been invited to access select external DISH systems." The actual payout will be based on the severity of the specific vulnerability discovered.

As noted by DHS, this new bounty program builds on similar private-sector efforts and "Hack the Pentagon," a first-of-its-kind program launched in 2016 that was ultimately responsible for identifying over 100 vulnerabilities across various Defense Department assets. The DHS itself created a similar pilot program in 2019 on the back of a bipartisan bill. It followed related efforts from the Department of Defense, Air Force, and Army. 

"The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors," Mayorkas noted. 

The effort will include three phases that will run throughout FY 2022. In the first phase, hackers will be called on to conduct "virtual assessment" on select DHS systems. This will be followed by a "live, in-person hacking event" during phase two, and an identification and review process during the third and final phase. 

The DHS noted that it will use the data collected during this process to both plan for future bug bounties, and to develop "a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience." 

Like previous government programs of a similar nature, this one will be governed by rules orchestrated by the DHS' Cybersecurity and Infrastructure Security Agency (CISA), with all participants required to fully disclose any information that could be useful in mitigating and correcting the vulnerabilities they discover. 

The hope for programs like this one is to privately discover and patch holes without relying on external security researchers or random discoverers to do the scrupulous thing and inform the vendor/agency before releasing a vulnerability into the wild. This effort appears particularly timely in a world where governments, businesses, and just about everyone that owns a computer continue to deal with the fallout from the very public disclosure and rapid exploitation of the Log4j vulnerability. 

Featured

iPhone 15 Pro review: Prepare to be dazzledGenerative AI will far surpass what ChatGPT can do. Here's everything on how the tech advancesGoogle Pixel 8 vs. Google Pixel 8 Pro: Which one is right for you?The best USB-C cables for the iPhone 15: What the experts recommend
  • iPhone 15 Pro review: Prepare to be dazzled
  • Generative AI will far surpass what ChatGPT can do. Here's everything on how the tech advances
  • Google Pixel 8 vs. Google Pixel 8 Pro: Which one is right for you?
  • The best USB-C cables for the iPhone 15: What the experts recommend

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.