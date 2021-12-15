



DHS will pay between $ 500 and $ 5,000 depending on the severity of the vulnerability and the impact of remediation, Homeland Security Secretary Alejandro Mayorkas said on Tuesday.

“It’s an evolving amount of money, but we consider it to be quite important,” he told the Bloomberg Technology Summit. “We are really investing a lot of money, as well as attention and focus, into this program.”

Hackers will receive the highest bounties for identifying the most serious bugs, DHS said.

Some private companies offer much higher premiums for discovering vulnerabilities. For example, Apple’s payouts range from $ 25,000 to $ 1 million and Microsoft is offering up to $ 200,000. The vulnerability is found in Java-based software known as “Log4j” that large organizations, including some of the world’s largest technology companies, use to configure their applications.

Jen Easterly, director of the DHS Cybersecurity and Infrastructure Security Agency, said “the vulnerability is one of the most serious I have seen in my entire career, if not the most serious,” during a call with executives major US industries on Monday.

As part of the “DHS Hack Program,” the department will check for the vulnerability within 48 hours and correct it within 15 days or, if necessary, develop a remediation plan within 15 days, according to Mayorkas.

The program will be open to approved cybersecurity researchers who have been invited to access certain external DHS systems.

“DHS Hack” will take place in three phases. First, hackers will perform virtual assessments, which will be followed by a live, in-person hacking event. In the third phase, DHS will identify and review lessons learned and plan for future bug bounties, according to the department.

When asked if this program would last in future administrations, Mayorkas said that if it proved useful, “we will continue the program as long as we can.”

Katie Moussouris, CEO and founder of Luta Security, welcomed the move but expressed concerns about the program’s schedule.

“It’s great that DHS works with hackers and welcomes their findings; however, time-limited bug bounty programs don’t make consistent improvements in security,” she said. at CNN. “It’s time to mature government vulnerability disclosure and bug bounty programs towards measurable security results. ”

She also pointed out that bug bounties are meant to catch what internal security due diligence missed.

“I’ll be interested to see if this new insect bounty reveals more complex insects than the typical low hanging fruits normally found in insect bounties,” she added. The department launched a bug bounty pilot program in 2019, which stems from legislation that allows DHS to compensate hackers for evaluating departmental systems. It also builds on similar efforts, such as the Department of Defense’s “Hack the Pentagon” program.

Casey Ellis, founder and chief technology officer at Bugcrowd, a San Francisco-based cybersecurity firm working with DHS on the bug bounty program, said there were benefits to adding external expertise to cybersecurity efforts. of the department.

“It takes an army of allies to outsmart an army of adversaries. Even with an internal team as rich and intelligent as DHS, adding the collective creativity of the bona fide hacker community helps DHS level the playing field against the adversary.

Bugcrowd has been advising various government agencies for many years, including DHS, and will be the platform partner for this program.

Democratic Senator Maggie Hassan of New Hampshire and Republican Senator Rob Portman of Ohio, who helped draft the original bug bounty legislation, welcomed the announcement.

“At a time when cyber threats are on the rise, I am delighted that DHS is making permanent the bug bounty program that I created with Senator Hassan to ensure that our federal government is better prepared to protect itself,” said Portman said in a statement.

This story has been updated with more comments.

CNN’s Sean Lyngaas contributed to this story.

