[BreachExchange] US government to offer up to $5,000 ‘bounty’ to hackers to identify cyber vulnerabilities

[Terrell Byrd]

https://localnews8.com/politics/cnn-us-politics/2021/12/14/us-government-to-offer-up-to-5000-bounty-to-hackers-to-identify-cyber-vulnerabilities/

The Department of Homeland Security is launching a “bug bounty” program,
potentially offering thousands of dollars to hackers who help the
department identify cybersecurity vulnerabilities within its systems.

DHS will pay between $500 and $5,000 depending on the gravity of the
vulnerability and the impact of the remediation, Homeland Security
Secretary Alejandro Mayorkas announced Tuesday.

“It’s a scalable amount of money but we consider that quite significant,”
he said, speaking at the Bloomberg Technology Summit. “We’re really
investing a great deal of money, as well as attention and focus, on this
program.”

Hackers will earn the highest bounties for identifying the most severe
bugs, DHS said.

Some private companies offer much higher bounties for uncovering
vulnerabilities. For instance, payouts from Apple range from $25,000 to $1
million and Microsoft offers up to $200,000.

The announcement comes a day after senior Biden administration cyber
officials warned that hackers are exploiting a newly revealed software
vulnerability.

The vulnerability is in Java-based software known as “Log4j” that large
organizations, including some of the world’s biggest tech firms, use to
configure their applications.

Jen Easterly, director of the DHS Cybersecurity and Infrastructure Security
Agency, said the “vulnerability is one of the most serious that I’ve seen
in my entire career, if not the most serious,” during a call with
executives from major US industries Monday.

As part of the “Hack DHS program,” the department will verify the
vulnerability within 48 hours and either remediate it within 15 days or, if
required, develop a plan for remediation within a 15-day period, according
to Mayorkas.

The program will be open to vetted cybersecurity researchers who have been
invited to access select external DHS systems.

“Hack DHS” will be carried out in three phases. First, hackers will conduct
virtual assessments, which will be followed by a live, in-person hacking
event. During the third phase, DHS will identify and review lessons learned
and plan for future bug bounties, according to the department.

Asked whether this program will last into future administrations, Mayorkas
said that if it proves valuable, “we will continue the program for as long
as we can.”

Katie Moussouris, CEO and founder of Luta Security, welcomed the move but
raised concerns about the program’s timeline.

“It’s great that DHS is working with hackers and welcoming their findings;
however, time-bound bug bounty programs do not deliver consistent security
improvements,” she told CNN. “It’s time to mature government vulnerability
disclosure and bug bounty programs towards measurable security outcomes.”

She also pointed out that bug bounties are meant to catch what internal
security due diligence missed.

“I will be interested to see if this newest bug bounty reveals more complex
bugs than typical low-hanging fruit normally found in bug bounties,” she
added. The department ran a bug bounty pilot program in 2019, which stemmed
from legislation that allows DHS to compensate hackers for evaluating
department systems. It also build on similar efforts, like the Department
of Defense’s “Hack the Pentagon” program.

Casey Ellis, founder and chief technology officer at Bugcrowd, a San
Francisco-based cybersecurity firm that is working with DHS on the bug
bounty program, said there are benefits to adding outside expertise to the
department’s cybersecurity efforts.

“It takes an army of allies to outsmart an army of adversaries. Even with
an internal team as resourced and smart as the DHS, adding the collective
creative of the good-faith hacker community helps DHS level the playing
field against the adversary.”

Bugcrowd has been advising a variety of government agencies for many years,
including DHS, and will be the platform partner for this program.

Democratic Sen. Maggie Hassan of New Hampshire and Republican Sen. Rob
Portman of Ohio, who helped draft the initial bug bounty legislation,
praised the announcement.

“At a time when cyber threats are on the rise, I’m pleased that DHS is
making permanent the bug bounty program I created with Senator Hassan to
ensure our federal government is better prepared to protect itself,”
Portman said in a statement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211215/f7cd3ee0/attachment.html>