450 security researchers working through the Department of Homeland Security’s “Hack the DHS” bug bounty program identified over 122 vulnerabilities

A recent report by the U.S. Department of Homeland Security (DHS) notes that, over the past year, the “Hack the DHS” vulnerability bounty program involved more than 450 cybersecurity professionals, who found 122 vulnerabilities, including 27 critical bugs.

These reports received rewards totaling $125,600 USD, granting payments of between $500 and $5,000 USD for verified exploitable vulnerabilities.

Although other federal agencies in the U.S. have similar initiatives, DHS was the first institution to expand its program for detecting and reporting Log4Shell flaws in public information systems, allowing other government agencies to address vulnerabilities not reported by other means.

The exploitation of the flaws in Log4j could have been disastrous for these institutions, considers Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), so the work of these researchers was fundamental to avoid a critical scenario.

Bug bounty programs are a great measure to incentivize the participation of security researchers, allowing them to analyze IT systems that would otherwise be restricted and within a set of defined parameters, although this does not mean that there are no detractors.

Critics believe that these kinds of programs lack reliable mechanisms to prevent unscrupulous researchers from finding critical vulnerabilities to sell to malicious hackers, which would prove for them much more lucrative than receiving the maximum amount of reward awarded by DHS.

Despite the risks, DHS leadership seems satisfied with the results of this first phase of the program; On the second phase, the Agency mentions that this will consist of a live hacking event as other events already do, while in a next third phase it will consist of the preparation of reports on the findings derived from the project and its potential use in the development of the next reward programs.

Finally, DHS Chief Information Officer Eric Hysen said, “The enthusiastic involvement of the security research community during the first phase of the program allowed us to find and remediate critical vulnerabilities before they could be exploited.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.