Sens. Maggie Hassan (D-N.H.) and Rob Portman (R-Ohio) have introduced legislation to force the Department of Homeland Security (DHS) to implement a “bug bounty” program.
Bug bounty programs offer incentives for third-party researchers to discover and report cybersecurity flaws, giving IT administrators a heads-up on what needs to be repaired.
They are generally considered a useful part of private-sector cybersecurity regimens and are beginning to see some traction in the federal government, including programs at the Department of Defense (DOD).
“[I]n order to protect DHS and the American people from these threats, the Department will need help,” said Hassan in a statement.
{mosads}”The ‘Hack the DHS Act’ provides this help by drawing upon an untapped resource — patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens.”
“Hack the DHS” takes its name from successful programs run in the DOD, including “Hack the Pentagon” and “Hack the DoD.”
The DOD programs required hackers to be vetted before participating, something that is not required in all programs.
The Hack the DHS bill leaves many details of the program up to the agency but requires the DHS to establish a program within 180 days.
Hack the Pentagon, the first federal bug bounty, ran for slightly under one month in 2016. In that time, hackers discovered 138 patchable vulnerabilities within the DOD’s public-facing systems. Then Secretary of Defense Ash Carter estimated that the $150,000 program saved the department more than $800,000 over receiving comparable security testing from the private sector.