14 DAY TRIAL // House Committee on Homeland Security advanced two bills today through which it wants to create a bug bounty program and to establish a vulnerability disclosure policy for the Department of Homeland Security (DHS) according to a report from The Hill.
The first bill introduced by the Democrat Sen. Maggie Hassan and suggestively named "Hack the Department of Homeland Security Act" wants to set up a bug bounty pilot program within the Office of the Chief Information Officer.
The new program initiated by this bill strives to minimize the number of vulnerabilities which affect the Department of Homeland Security's Internet-accessible devices and to make it possible for white hat hackers to both identify and report said security vulnerabilities in exchange for monetary compensation.
Moreover, the future bug bounty program would cover all publicly reachable DHS computation infrastructure, such as websites, applications, and other similar information techs.
The DHS is also instructed by the Hack DHS Act to "designate mission-critical operations within DHS that should be excluded from the pilot program," and to devise a simple and fast procedure for "registration, background checks, and eligibility" in the program.
The vulnerability disclosure policy and the bug bounty program should help DHS detect and fight off vulnerabilities a lot easier
Republican Rep. John Ratcliffe from Texas also added an amendment with technical changes to H.R. 6753, a bill advanced by Rep. Kevin McCarthy (R-CA) which instructs the "Secretary of Homeland Security to establish a vulnerability disclosure policy for Department of Homeland Security internet websites, and for other purposes."
McCarthy's bill will also direct the Secretary to develop the exact procedure through which the Department of Homeland Security (DHS) will both mitigate and fix all security vulnerabilities disclosed through the policy described before.
Rep. James Langevin (D-R.I.) appreciated the initiative proposed by McCarthy and included another amendment which would allow security researchers to help the DHS without asking for compensation.
Langevin also said that "a bug bounty will attract thousands and thousands of eyes and you have to be prepared for that. All of which is to say, I still do have questions about the department’s ability to implement a successful bug bounty program."