Senate passes DHS bug bounty bill

The bill would compel the federal government's top civilian cyber agency to pay white hats who find security vulnerabilities in the agency's internet-facing IT operations.

 

The Department of Homeland Security is one step closer to launching a bug bounty pilot.

The Senate passed legislation April 17 that compels DHS to establish a bug bounty program.  Sponsored by Sens. Maggie Hassan (D-N.H.), Rob Portman (R-Ohio), Claire McCaskill (D-Mo.) and Kamala Harris (D-Calif.), the bill was introduced last year and authorizes $250,000 for DHS to contract with an outside organization to run the program, which would pay security researchers for finding undiscovered flaws and vulnerabilities in DHS systems and software.

The bill gives the DHS CIO six months to establish a bounty program for the agency's internet-facing IT, which includes computers, software and any equipment or interconnected system or subsystem used by the executive agency. It would not include any equipment acquired by a contractor incidental to a federal contract.

Lawmakers want the agency to model its pilot after the Department of Defense's "Hack the Pentagon" bounty program and consult with DOD about how best to structure its own bounties.

"Bug bounty programs are important cybersecurity tools in the private sector and have shown promising results when used by the government," Portman said in a statement following the bill's passage. "This legislation ensures DHS will execute such a program and reap the cost-effective benefits to the security of their networks and systems."

Under the bill, DHS would report to Congress on participation, payments and any zero-day vulnerabilities discovered by white-hat hackers as well as on plans to remediate flaws discovered under the program.

The $250,000 funding authorized by the measure covers both the contract to run the pilot program and compensation to security researchers, according to a Hassan staffer. The department does not need Congressional authorization to implement a bug bounty program, and the staffer said the bill is designed to put pressure on the agency to act.

"While DHS leadership has expressed enthusiasm for the concept, the department has not yet acted to implement a bug bounty program, and this legislation will ensure that a pilot program is actually established," said the staffer. "Additionally, by authorizing new funding, this bill will help give DHS the capacity to implement this program."

If the bill passes, DHS will join DOD and the General Services Administration as agencies that have implemented bug bounty programs in the last few years. The Trump administration's IT modernization plan encourages federal agencies to make such programs a regular feature of their IT security testing. In March 2018 GSA, in coordination with DHS, was required to identify other agencies that could take advantage of bug bounty programs.