The US Department of Homeland Security announced a new programme on Dec 14 in which the agency will pay outside hackers to find vulnerabilities in its computer systems, a type of incentive popular in the cybersecurity industry that is known as a “bug bounty”.

DHS Secretary Alejandro Mayorkas unveiled his agency’s “Hack DHS” programme at the Bloomberg Technology Summit. Unlike many bug bounties, which are open to anyone, DHS said in a statement that its programme would include only “vetted cybersecurity researchers who have been invited to access select external DHS systems”. Any vulnerabilities they find would then be fixed, and the researchers would be rewarded with financial prizes.

“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” Mayorkas said in the statement. “The Hack DHS programme incentivises highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”

Once a novelty, hundreds of organisations around the world now have bug bounty programmes, according to a list maintained by Bugcrowd, a San Francisco-based company that helps manage them. Such programmes allow companies to better secure their products and cybersecurity researchers to make money from identifying weaknesses in companies’ technologies and networks.

Mayorkas said the agency would pay awards from US$500 to US$5,000 per verified vulnerability, amounts that put the highest potential payout from DHS at the lower end of the range of some similar programmes run by large technology companies. Google, for example, said that in 2020 it paid US$6.7mil in bug bounties, with the highest single award being US$132,500 .

DHS plans to verify any reported vulnerabilities within 48 hours and either remediate or develop a plan to remediate them within 15 days, Mayorkas said. “We’re really investing a great deal of money as well as attention and focus on this programme,” he said.

Regarding ransomware attacks, which involve hackers locking victims’ computer systems and demanding payment to unlock them, Mayorkas said the agency saw a quadrupling in such incidents in early 2021 but that some of the most prolific hacking groups appear to have backed off for the time being.

One reason may be the stepped-up responses by the US and other countries to such attacks, which included a string of arrests announced in November against alleged members of a Russia-linked ransomware group commonly known as REvil or Sodinokibi and sanctions against cryptocurrency entities that are accused on enabling the hacks.

“Some of the major players we haven’t seen as active as previously,” Mayorkas said. “That doesn’t mean that they’ve gone away, that we’ve defeated them. They very well might have hit the pause button. Vigilance has to remain at an incredibly high level.”

 - Bloomberg