Senate passes DHS bug bounty bill


The Department of Homeland Security is one step closer to launching a bug bounty pilot.

The Senate passed legislation April 17 that compels DHS to establish a bug bounty program.  Sponsored by Sens. Maggie Hassan (D-N.H.), Rob Portman (R-Ohio), Claire McCaskill (D-Mo.) and Kamala Harris (D-Calif.), the bill was introduced last year and authorizes $250,000 for DHS to contract with an outside organization to run the program, which would pay security researchers for finding undiscovered flaws and vulnerabilities in DHS systems and software.

The bill gives the DHS CIO six months to establish a bounty program for the agency's internet-facing IT, which includes computers, software and any equipment or interconnected system or subsystem used by the executive agency. It would not include any equipment acquired by a contractor incidental to a federal contract.

Lawmakers want the agency to model its pilot after the Department of Defense's "Hack the Pentagon" bounty program and consult with DOD about how best to structure its own bounties.

"Bug bounty programs are important cybersecurity tools in the private sector and have shown promising results when used by the government," Portman said in a statement following the bill's passage. "This legislation ensures DHS will execute such a program and reap the cost-effective benefits to the security of their networks and systems."

Under the bill, DHS would report to Congress on participation, payments and any zero-day vulnerabilities discovered by white-hat hackers as well as on plans to remediate flaws discovered under the program.

The $250,000 funding authorized by the measure covers both the contract to run the pilot program and compensation to security researchers, according to a Hassan staffer. The department does not need Congressional authorization to implement a bug bounty program, and the staffer said the bill is designed to put pressure on the agency to act.

"While DHS leadership has expressed enthusiasm for the concept, the department has not yet acted to implement a bug bounty program, and this legislation will ensure that a pilot program is actually established," said the staffer. "Additionally, by authorizing new funding, this bill will help give DHS the capacity to implement this program."

If the bill passes, DHS will join DOD and the General Services Administration as agencies that have implemented bug bounty programs in the last few years. The Trump administration's IT modernization plan encourages federal agencies to make such programs a regular feature of their IT security testing. In March 2018 GSA, in coordination with DHS, was required to identify other agencies that could take advantage of bug bounty programs.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected