‘Hack DHS’ bug hunters find 122 security flaws in DHS systems

The Department of Homeland Protection (DHS) nowadays discovered that bug bounty hunters enrolled in its ‘Hack DHS’ bug bounty program have discovered 122 stability vulnerabilities in exterior DHS systems, 27 of them rated essential severity.

DHS awarded a complete of $125,600 to about 450 vetted stability scientists and ethical hackers, with rewards of up to $5,000 for each bug, dependent on the flaw’s severity.

“The enthusiastic participation by the stability researcher neighborhood all through the 1st period of Hack DHS enabled us to find and remediate vital vulnerabilities ahead of they could be exploited,” stated DHS Chief Information and facts Officer Eric Hysen.

“We appear ahead to more strengthening our connection with the researcher group as Hack DHS progresses.”

The ‘Hack DHS’ program builds on the practical experience of identical endeavours throughout the US federal governing administration (e.g., the ‘Hack the Pentagon’ program) and the private sector.

DHS launched its 1st bug bounty pilot system in 2019, two years prior to ‘Hack DHS,’ soon after the Safe Know-how Act was signed into legislation, requiring the institution of a protection vulnerability disclosure plan and a bounty system.

Released to create a model for other govt companies

The ‘Hack DHS’ bug bounty system was announced in December 2021. It involves the hackers to disclose their conclusions together with thorough information and facts on the vulnerability, how it can be exploited, and how it can be employed to attain accessibility to facts DHS programs.

All documented stability flaws are then verified by DHS stability industry experts within 48 several hours and are fixed in 15 days or additional, based on the bug’s complexity.

One 7 days right after the launch, the DHS expanded the scope of the ‘Hack DHS’ bounty program to allow for researchers to monitor down DHS programs impacted by Log4j-similar vulnerabilities.

The conclusion to increase the application arrived on the heels of a CISA emergency directive ordering Federal Civilian Executive Department companies to patch their techniques in opposition to the critical Log4Shell bug until December 23.

“Corporations of each individual sizing and across every single sector, like federal companies like the Office of Homeland Stability, ought to continue being vigilant and consider measures to boost their cybersecurity,” included Secretary of Homeland Stability Alejandro N. Mayorkas.

“Hack DHS underscores our Department’s commitment to guide by illustration and secure our nation’s networks and infrastructure from evolving cybersecurity threats.”