The U.S. Department of Homeland Security is offering payments of up to $5,000 under a bug bounty program called “Hack DHS.”

The bug bounty program is designed to identify potential cybersecurity vulnerabilities within certain DHS systems and to increase the department’s cybersecurity resilience. The bug bounty program is not a free-for-all, however, with only vetted cybersecurity researchers being invited to access select DHS systems that bad actors could exploit so they can be patched.

“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” DHS Secretary Alejandro N. Mayorkas said in a statement. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”

A normal bug bounty program would be ongoing and open to all, but this is the U.S. government, so anything like this is arguably a net positive versus doing nothing at all. The program will be run through the fiscal year 2022 with the goal of developing a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience.

Phase one will involve “hackers” — by which they mean vetted cybersecurity professionals, conducting a virtual assessment on certain DHS external systems. Phase two will involve the so-called hackers participating in a live, in-person hacking event. The third and final phase will involve the DHS identifying and reviewing lessons learned and planning for future bug bounties.

Hack DHS will be run by the DHS Cybersecurity and Infrastructure Security Agency and will be governed by several rules on engagement. The program will be monitored by the DHS Office of the Chief Information Officer. Bug bounty payments will be determined on a sliding scale with the highest bounties being paid for the most severe bugs.

The bug bounty program is being run in conjunction with crowdsourced security platform company Bugcrowd Inc.

“As the Internet grows and cyber threats grow, the concept of ‘see something, say somethin’, first popularized by the DHS, becomes even more relevant in the digital realm,” Casey Ellis, founder and chief technology officer at Bugcrowd, told SiliconANGLE. “We’ve been advising a variety of government agencies for many years including the DHS, and we’ll be the platform partner for this program.”

It takes an “army of allies to outsmart an army of adversaries,” he added. “Even with an internal team as resourced and smart as the DHS, adding the collective creative of the good-faith hacker community helps DHS level the playing field against the adversary.”

Image: CISA