A pair of senators wants to give hackers a chance to take a swing at the Department of Homeland Security’s networks and internal systems through a broad bug bounty program.
A proposed bill introduced in the Senate Friday would build on the foundation of the Hack the Pentagon program that the Department of Defense ran in 2016. The program was considered an unqualified success, with nearly 1,500 researchers participating and producing more than 1,100 vulnerability reports. The DoD last year announced that it would continue that program and allow components of the department to work with HackerOne and Synack on their own bug bounty programs.
Now, Sen. Maggie Hassan (D-N.H.) and Sen. Rob Portman (R-Ohio) have brought forward a bill that would extend this concept to DHS, the department that is responsible for securing the federal government’s own internal networks.
“Federal agencies like DHS are under assault every day from cyberattacks. These attacks threaten the safety, security and privacy of millions of Americans and in order to protect DHS and the American people from these threats, the Department will need help,” Hassan said.
“The Hack DHS Act provides this help by drawing upon an untapped resource—patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens. This bipartisan bill take the first step to utilize best practices from the private sector to harness the skills of hackers across America as a force multiplier against these cyber threats. I will work with members of both parties to move this important bill forward.”
Like the Hack the Pentagon bounty program before it, the proposed Hack the DHS program would require participants to register and would go through a background check. The act doesn’t specify what the payouts for the program would be, but in the Pentagon version, bounties were from $100 up to $15,000. Bug bounty programs, once considered a novelty, have become a well-established method for companies and government agencies to leverage the wider security research community to help secure their networks.