The Department of Homeland Security announced this week that it will make permanent a pilot bug bounty program it started in 2019, setting up a long-term channel between the department and the private security research community.

The program will be conducted in three phases over the next year. DHS will start by inviting “vetted” cybersecurity researchers to perform virtual assessments of selected departmental systems, followed by a live, in-person hacking event where hackers can demonstrate their exploits and attacks. It will then review and evaluate the results in order to develop a model that can be repeated across other agencies in the federal government.

This week, Secretary of Homeland Security Ali Mayorkas said in public comments that the program will pay researchers anywhere between $500 and $5,000, depending on the vulnerability’s severity and potential impact on departmental operations. In a statement announcing the program, he said DHS, which helps coordinate and manage cybersecurity issues across the civilian federal government, must “lead by example” and ensure their own systems are being proactively scrutinized for vulnerabilities.

“The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the department is partnering with the community to help protect our Nation’s cybersecurity,” he said.

The Department of Homeland Security announced the #HackDHS bug bounty program on Dec. 15. (DHS via Instagram)

The new, permanent program will use an online platform developed by the Cybersecurity and Infrastructure Security Agency, while the department’s chief information officer will set ground rules for how outside hackers may engage with IT systems.

The program is an outgrowth of a law originally passed in 2018 that established a limited pilot bug bounty program at DHS. It follows bug bounty initiatives set up by the Department of Defense, and last year the Office of Management and Budget and CISA issued marching orders to civilian agencies to begin setting up their own vulnerability disclosure programs, which do not pay out bounties but allow for similar engagement between agencies and outside security researchers around active vulnerabilities.

In their memo to agencies, OMB officials indicated a preference for vulnerability disclosure programs, calling them “among the most effective methods for obtaining new insights regarding security vulnerability information.” They also warned agencies to do their due diligence before setting up a bounty program.

“While several organizations in the Federal government have used bug bounty programs effectively, each agency should carefully weigh the cost, organizational competence, and maturity required for a strong and sustainable program,” the agency wrote last year.

Sen. Maggie Hassan, D-N.H., chief sponsor of the Hack the Department of Homeland Security Act, celebrated the move.

“The Department of Homeland Security is central to the safety and security of Granite Staters and Americans, and it is imperative that their online systems can withstand an attack,” Hassan said. “I am pleased that following the success of our bug bounty pilot program, the department has decided to make this program a permanent part of its cybersecurity strategy.

While bug bounty programs can and often do discover real vulnerabilities in federal IT systems, they’re usually narrowly scoped and restrict researchers to prodding around a select number of public facing websites, databases and systems, as is the case with the DHS pilot. While agency officials argue that there are a myriad of potential risks from opening up more sensitive systems to third-party review, that also means large parts of an agency’s actual attack surface are essentially off-limits from outside scrutiny.