DHS Bug Bounty Program Offers Cash for Vuln …
Did you resolve to pull in some extra cash in the new year? Ethical hackers have heaps of options.
The Department of Homeland Security recently launched the invite-only bug bounty program called “Hack DHS” – with a recent addition for anyone who can uncover log4j vulnerabilities. This white-hat program is open to a limited number of hackers, according to the release from DHS.
“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said Secretary Alejandro N. Mayorkas. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity.”
This program will occur in three phases, according to the DHS statement. First, hackers will assess DHS external systems. Next, they’ll participate in a live, in-person hacking event. The final phase will be a review period for DHS, as it develops plans for future bug bounties.
Participants will be closely monitored to ensure they’re following the rules or engagement, and disclosure of each bug will be provided to the DHS system owners. This required information
With a growing market of private-sector bounty programs, which encouraged independent researchers to uncover flaws for cash, the average payout within the last year was $3,000 for a critical flaw, according to HackerOne’s recent report.
The data show that ethical hackers uncovered more than 66,000 valid vulnerabilities – a 20% increase from 2020, along with a median price increase from $2500 to $3000. Another benefit from these programs include a drop in median time-to-resolution; that number fell from 33 days to 26.7 days.
Companies like Google and Intel pay top dollar for the biggest vulnerabilities. Through Google’s Vulnerabilities Reward Program, launched more than 10 years ago, 2,022 researchers received nearly $30 million in rewards for just over 11,000 bugs.
Recent news posts
Intelligence Report: With Rising Tensions in Ukraine, Russian Cyber Threats Loom Over US
Security Ratings Serve to Raise Risk Awareness: Web Briefing
This Week in Cyber News: Catching the Bad Guys
Around the Community: Partner Blogs
Cybersecurity Failures Among Top International Risks: World Economic Forum
Attend an Event!
Connect and collaborate with fellow security innovators at our Virtual Cybersecurity Summits.