Senate passes DHS bug bounty bill


The Department of Homeland Security is one step closer to launching a bug bounty pilot.

The Senate passed legislation April 17 that compels DHS to establish a bug bounty program.  Sponsored by Sens. Maggie Hassan (D-N.H.), Rob Portman (R-Ohio), Claire McCaskill (D-Mo.) and Kamala Harris (D-Calif.), the bill was introduced last year and authorizes $250,000 for DHS to contract with an outside organization to run the program, which would pay security researchers for finding undiscovered flaws and vulnerabilities in DHS systems and software.

The bill gives the DHS CIO six months to establish a bounty program for the agency's internet-facing IT, which includes computers, software and any equipment or interconnected system or subsystem used by the executive agency. It would not include any equipment acquired by a contractor incidental to a federal contract.

Lawmakers want the agency to model its pilot after the Department of Defense's "Hack the Pentagon" bounty program and consult with DOD about how best to structure its own bounties.

"Bug bounty programs are important cybersecurity tools in the private sector and have shown promising results when used by the government," Portman said in a statement following the bill's passage. "This legislation ensures DHS will execute such a program and reap the cost-effective benefits to the security of their networks and systems."

Under the bill, DHS would report to Congress on participation, payments and any zero-day vulnerabilities discovered by white-hat hackers as well as on plans to remediate flaws discovered under the program.

The $250,000 funding authorized by the measure covers both the contract to run the pilot program and compensation to security researchers, according to a Hassan staffer. The department does not need Congressional authorization to implement a bug bounty program, and the staffer said the bill is designed to put pressure on the agency to act.

"While DHS leadership has expressed enthusiasm for the concept, the department has not yet acted to implement a bug bounty program, and this legislation will ensure that a pilot program is actually established," said the staffer. "Additionally, by authorizing new funding, this bill will help give DHS the capacity to implement this program."

If the bill passes, DHS will join DOD and the General Services Administration as agencies that have implemented bug bounty programs in the last few years. The Trump administration's IT modernization plan encourages federal agencies to make such programs a regular feature of their IT security testing. In March 2018 GSA, in coordination with DHS, was required to identify other agencies that could take advantage of bug bounty programs.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • FCW Perspectives
    zero trust network

    Can government get to zero trust?

    Today's hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide. Too bad there are obstacles at almost every turn.

  • Cybersecurity
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    NDAA process is now loaded with Solarium cyber amendments

    Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.