Skip to main content

Homeland Security bug bounty reveals huge number of flaws

The outcome of a bug bounty program for the Department of Homeland Security (DHS) has been revealed, and it’s not particularly encouraging news for a government agency synonymous with cyber security.

Participants of DHS’ first-ever bug bounty program, named “Hack DHS,” confirmed that they found a worrying number of security bugs.

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

They discovered a total of 122 security vulnerabilities in external DHS systems, according to The Register and Bleeping Computer. Twenty-seven bugs were recognized as “critical severity” flaws.

The Hack DHS initiative saw more than 450 security researchers participate in the program. For their efforts, the government agency paid out a total reward of $125,600 that was distributed amongst the ethical hackers.

As aptly highlighted by The Register, the aforementioned payout figure pales in comparison to what other organizations pay to bug bounty hunters.

For example, Intel has previously offered up to $100,000 for successfully uncovering specific vulnerabilities.

Other technology giants like Microsoft offer 10s of thousands of dollars for finding flaws, while Apple paid a single individual nearly the entirety of the Hack DHS bounty by giving him $100,000 for hacking a Mac.

Google, meanwhile, has awarded nearly $30 million to individuals enrolled in its own bug bounty programs. In one particular case, the company gave a self-taught teenage hacker $36,000 for reporting a certain bug.

Considering the fact that one of the Department of Homeland Security’s key responsibilities involves cyber security, many may understandably be concerned that such a high amount of security bugs were found in the first place. Moreover, the somewhat lackluster payment tiers associated with Hack DHS could be a potential deterrent to future interested parties.

All things considered, it seems the DHS is not as secure as many Americans would have hoped it would be.

A physical lock placed on a keyboard to represent a locked keyboard.
piranka / Getty Images

Homeland Security’s quest to become more secure

Hack DHS was originally introduced in December 2021. Any hacker who joined the program would have to provide a comprehensive breakdown of any vulnerability they find. They also have to detail how that flaw can be targeted and exploited by potential threat actors, as well as explain how it can be specifically utilized to access and extract data from DHS systems.

Once these security defects are put through a verification process by “DHS security experts,” which takes 48 hours to analyze after a bug is detected and submitted, they are generally patched within 15 days or so. In some cases, it takes the government agency longer than half a month to fix the more intricate flaws.

The government agency’s bug bounty program will be conducted via a tiered rollout consisting of three stages. The first phase, payouts, has been completed, while the upcoming second stage will see security researchers hand-picked by the DHS taking part in a live hacking event.

As for the final phase, The Register reports that DHS will share information that it hopes will influence additional bug bounty programs.

The popularity of bug bounty programs is increasingly becoming more prominent in an era where cybercriminals have been intensifying their attempts to infiltrate major companies, especially in the technology space.

For example, Intel unveiled Project Circuit Breaker, an expansion to its bug bounty program that was introduced to recruit “elite hackers.” Google also updated its Vulnerability Reward Program last year by launching a new bug platform.

Elsewhere, Google recently confirmed that a record number of dangerous zero-day exploits were identified in 2021, while cybercrimes are more widespread than ever before.

Editors' Recommendations

Zak Islam
Former Digital Trends Contributor
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
Is ChatGPT creating a cybersecurity nightmare? We asked the experts
A person's hand holding a smartphone. The smartphone is showing the website for the ChatGPT generative AI.

ChatGPT feels pretty inescapable right now, with stories marveling at its abilities seemingly everywhere you look. We’ve seen how it can write music, render 3D animations, and compose music. If you can think of it, ChatGPT can probably take a shot at it.

And that’s exactly the problem. There's all manner of hand-wringing in the tech community right now, with commenters frequently worrying that AI is about to lead to a malware apocalypse with even the most green-fingered hackers conjuring up unstoppable trojans and ransomware.

Read more
Hackers may have stolen the master key to another password manager
keepass master password plain text vulnerability open padlock cybersecurity

The best password managers are meant to keep all your logins and credit card info safe and secure, but a major new vulnerability has just put users of the KeePass password manager at serious risk of being breached.

In fact, the exploit allows an attacker to steal a KeePass user’s master password in plain text -- in other words, in an unencrypted form -- simply by extracting it from the target computer’s memory. It’s a remarkably simple hack, yet one that could have worrying implications.

Read more
Hacker claims to have hit Apple days after hacking AMD
The Apple logo is displayed at the Apple Store June 17, 2015 on Fifth Avenue in New York City

Data breaches happen all the time, but when the giants get hit, it's impossible not to wonder what kind of critical data may become exposed. Earlier this week, notorious cybercriminal Intelbroker reported that they managed to hack AMD. Now, they followed up with claims about hacking Apple, and went as far as to share some internal source code on a hacking forum.

As Apple has yet to comment, all we have to go off is the forum post, first shared by HackManac on X (formerly Twitter). In the post, Intelbroker states that Apple suffered a data breach that led to the exposure of the source code for some of its internal tools. The tools include AppleConnect-SSO, Apple-HWE-Confluence-Advanced. There's been no mention of any customer data being leaked, which is good news, but there could still be some impact on Apple if this proves to be true.

Read more