The US Department of Homeland Security (DHS) announced that 450 researchers working in its first-ever “Hack DHS” bug bounty program identified at least 122 vulnerabilities, 27 of which were considered “critical”.
Launched in December 2021, the program had vetted security researchers and ethical hackers to probe select external DHS systems for vulnerabilities, with the potential to receive up to $5,000 for their finds.
According to DHS, the agency awarded $125,600 to researchers in the first of what will be a three-phase program that aims to better inform federal agencies and other public sector organisations about the pros and cons of bug bounty programs.
In a statement, Secretary of Homeland Security Alejandro N. Mayorkas stated that organisations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cyber security.
“Hack DHS underscores our department’s commitment to lead by example and protect our nation’s networks and infrastructure from evolving cyber security threats,” Mayorkas said.
The bug bounty concept was first used broadly in the US government by the Defense Department, and in recent years, Congress has pressed civilian agencies to find ways to incorporate it too.
In the second phase of the program, ethical hackers will participate in a live, in-person hacking event, according to DHS.
During the third phase, DHS will identify lessons learned that could inform future bug bounty programs in government.
“The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” DHS chief information officer Eric Hysen further outlined in a statement.
“We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses.”
[Related: Aussies lost nearly $100m to scams in March]