The US Department of Homeland Security (DHS)’s first bug bounty with external researchers called “Hack DHS” helped discover 122 vulnerabilities.
DHS announced the Hack DHS bounty in December and in phase one of the program invited more than 450 “vetted security researchers” to get involved. DHS suggests the program produced solid results: 27 or about 22% of the 122 vulnerabilities participants found were deemed “critical”.
DHS offered participants between $500 and $5,000 per discovered vulnerability and in total awarded $125,600 for verified security flaws. It was the first federal agency to amend its bug bounty program to include Log4J flaws across all public-facing information system assets. This allowed it to identify and close vulnerabilities not surfaced through other means besides the bounty, the DHS said. It doesn’t say how many of the flaws were related to Log4J or how many of the identified bugs were eligible for the $5,000 award.
This bug bounty invited approved hackers run a virtual assessment on select DHS systems. It concludes the first of DHS’ three phase program. The second phase invites security researchers to join a live, in-person hacking event, while the third phase will be used by