The Department of Homeland Security (DHS) announced the launch of the “Hack DHS” bug bounty program on December 14, 2021. The purpose of this program is to identify cybersecurity vulnerabilities, or bugs, in certain DHS systems, thus increasing their resistance to attack.
The DHS will invite vetted security researchers to participate in the program, providing them with access to selected DHS systems. These researchers will play the role of hackers by identifying bugs that malicious actors could exploit, allowing DHS to patch them. Researchers will receive payments, or bounties, for each bug verified by the DHS.
DHS Secretary Alejandro N. Mayorkas stated in the announcement that DHS must lead by example in its efforts to improve the security of US government systems. He added that the Hack DHS program would motivate skilled hackers into identifying vulnerabilities in these systems before bad actors exploit them. Mayorkas closed his remarks by saying Hack DHS is only one example of how DHS is improving the nation’s cybersecurity by partnering with the community.
Hack DHS will be implemented in three phases during Fiscal Year (FY) 2022. Its objective is to develop a model for improving the cybersecurity posture of organizations in all level of government. The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has already created the platform that Hack DHS will use. Several rules of engagement will govern this exercise, which the DHS Office of the Chief Information Officer will monitor.
Phase one of Hack DHS will consist of the designated hackers conducting virtual assessments on the selected DHS systems. In phase two, the hackers will participate in a live, in-person hacking event. In the third phase, participants will review the lessons learned and plan future bug bounties.
The hackers will disclose their findings to DHS administrators and executives, including the vulnerabilities they discover, how they exploited them and how they could allow malicious actors to access data. The bounties for identifying bugs are based on a sliding scale such that the most serious bugs have the highest bounties, with specific values ranging from $500 to $5,000. The DHS will verify all reported bugs within 48 hours and fix them in 15 days or more, depending on complexity.
Hack DHS uses the best practices developed from similar initiatives that were widely implemented throughout the federal government and private sector, including “Hack the Air Force,” “Hack the Army,” and “Hack the Pentagon.” Senator Maggie Hassan (D-New Hampshire), Senator Rob Portman (R-Ohio), Representative Ted Lieu (D-California) and Representative Scott Taylor (R-Virginia) authored a set of provisions supporting Hack DHS as part of the SECURE Technology Act, which was passed in 2018. This law authorizes the DHS to compensate the individuals chosen to evaluate its systems by simulating hacker behavior.
The decision to implement Hack DHS is largely driven an emergency directive that CISA issued in December 2021. This directive ordered agencies in the Federal Civilian Executive Branch (FCEB) of the US government to patch a critical Log4Shell bug by December 23 and report impacted Java products by December 28. These reports should include vendor names, app names and versions, and the actions taken to prevent exploitation.
The Log4Shell bug affects Log4j, Apache’s Java-based logging utility. It’s part of the Apache Logging Services and is one of several Java logging frameworks. Log4Shell is a remote code execution (RCE) vulnerability tracked as CVE-2021-44832, which is fixed in Log4j v2.17.1.