By Joseph Marks
The first bill, sponsored by House Majority Leader Kevin McCarthy, R-Calif., would direct Homeland Security officials to create a vulnerability disclosure policy. That policy would describe which department websites, hackers can legally probe for vulnerabilities, how they can alert the department about those vulnerabilities and when and how the department will respond to and remediate the vulnerabilities.
Homeland Security Sec. Kirstjen Nielsen told lawmakers in April that the department already plans to adopt such a policy, but the department has not made progress since then, Rep. Jim Langevin, D-R.I., said during Thursday’s markup.
The second bill, which has already been passed by the full Senate, would go a step further, requiring Homeland Security to create a formal program, known as a bug bounty, that would solicit vulnerability reports from hackers and pay them for vulnerabilities that checked out.
The Hack the Department of Homeland Security bill, sponsored by Sen. Maggie Hassan, D-N.H. in the Senate, is partly modeled on numerous successful bug bounty programs at the Pentagon and military services.
The bill would mark the first departmentwide bug bounty in the civilian government. The General Services Administration’s Technology Transformation Service also runs an ongoing a bug bounty.
Those Defense Department bug bounties required a lot of time and money, however, and some bug bounty organizers have warned that a full bug bounty may not be a good investment for civilian agencies—especially if they lacks the resources to investigate and patch all the bugs ethical hackers uncover.
Homeland Security’s top cybersecurity and infrastructure security official Chris Krebs initially expressed skepticism about a department bug bounty, worrying it could steal resources from other parts of the department’s cyber mission. He later endorsed the plan, however, during his confirmation hearing.