The US Department of Homeland Security (DHS)'s archetypal bug bounty with outer researchers called "Hack DHS" helped observe 122 vulnerabilities.
DHS announced the Hack DHS bounty successful December and successful signifier 1 of the programme invited much than 450 "vetted information researchers" to get involved. DHS suggests the program produced coagulated results: 27 oregon astir 22% of the 122 vulnerabilities participants recovered were deemed "critical".
DHS offered participants betwixt $500 and $5,000 per discovered vulnerability and successful full awarded $125,600 for verified information flaws. It was the archetypal national bureau to amend its bug bounty programme to see Log4J flaws crossed each public-facing accusation strategy assets. This allowed it to place and adjacent vulnerabilities not surfaced done different means too the bounty, the DHS said. It doesn't accidental however galore of the flaws were related to Log4J oregon however galore of the identified bugs were eligible for the $5,000 award.
This bug bounty invited approved hackers tally a virtual appraisal connected prime DHS systems. It concludes the archetypal of DHS' 3 signifier program. The 2nd signifier invites information researchers to articulation a live, in-person hacking event, portion the 3rd signifier volition beryllium utilized by DHS to cod lessons that pass aboriginal bug bounty programs.
CISA created the bug bounty level utilized by Hack DHS portion the DHS Office of the Chief Information Officer (CIO) governed and monitored rules of engagement.
"The enthusiastic information by the information researcher assemblage during the archetypal signifier of Hack DHS enabled america to find and remediate captious vulnerabilities earlier they could beryllium exploited," said DHS CIO Eric Hysen.
"We look guardant to further strengthening our narration with the researcher assemblage arsenic Hack DHS progresses."
Hack DHS follows akin bounty programs similar "Hack the Pentagon," a first-of-its-kind program launched successful 2016 that helped uncover 100 vulnerabilities crossed assorted Defense Department assets. It followed related bug bounty efforts from the Department of Defense, Air Force, and Army.