US Senators Propose Bug Bounties For Hacking Homeland Security

An anonymous reader quotes CNN: U.S. senators want people to hack the Department of Homeland Security. On Thursday, Senators Maggie Hassan, a Democrat and Republican Rob Portman introduced the Hack DHS Act to establish a federal bug bounty program in the DHS... It would be modeled off the Department of Defense efforts, including Hack the Pentagon, the first program of its kind in the federal government. Launched a year ago, Hack the Pentagon paved the way for more recent bug bounty events including Hack the Army and Hack the Air Force...

The Hack the DHS Act establishes a framework for bug bounties, including establishing "mission-critical" systems that aren't allowed to be hacked, and making sure researchers who find bugs in DHS don't get prosecuted under the Computer Fraud and Abuse Act. "It's better to find vulnerabilities through someone you have engaged with and vetted," said Jeff Greene, the director of government affairs and policy at security firm Symantec. "In an era of constrained budgets, it's a cost-effective way of identifying vulnerabilities"... If passed, it would be among the first non-military bug bounty programs in the public sector.

The US Government Wants Help from Hackers?

The Computer Fraud and Abuse Act of 1986 imposes very harsh penalties for hacking and has been used as a hammer to crush individuals who've managed to draw the attention of the authorities. The US Government has used this law repeatedly over the years to destroy the lives of promising young Americans with prodigious computer skills who were relatively harmless if somewhat misguided. For example, the case of Aaron Schwartz comes easily to mind. Fast forward thirty years and now that cyber security is a thing they want our help? Talk about ingratitude.

Re:The US Government Wants Help from Hackers?

[Dutch+Gun]

The act you mentioned was passed into law a generation ago, and this new legislation is specifically designed to protect white hats from misguided prosecution under this law. You realize one law can supersede another, right? We always bitch about incompetent government IT, and then when someone in gov tries to rectify it with some legislation that, at least as described, sounds like a good idea, we just bitch about that as well?

This is becoming standard practice in the private tech/software industry, and a lot of major bugs are found and closed in our modern infrastructure thanks to these sorts of bounties. I suspect security researchers and white hats will react favorably to this proposed policy change. The details of the legislation will be important, of course, but if it's as straightforward as its described, it seems like this can do nothing but improve our national IT infrastructure.

Oh, by the way...

[bistromath007]

If you get any credible proof you've succeeded, you're still going to Gitmo for the rest of your life.

Re:Oh, by the way...

[AHuxley]

Re 'If you get any credible proof you've succeeded"
A nice conversation will be had. That only a small part of the federal network was ever open to the "contest" and that the skilled person got too far in.
A one time offer will be made to work with the government.

It's a trap!

[93+Escort+Wagon]

Sure, some mysterious government organization starts a hacking contest. Then, if you win, Samaritan has you killed.

Nice try!

Going to Gitmo?

[Picodon]

If you get any credible proof you've succeeded, you're still going to Gitmo for the rest of your life.

Of course not! When you succeed hacking the DHS:
  - If you didn’t get caught, you sell your data to Russia as usual for a rather large reward.
  - If you did get caught, you explain that this was for the bug hunt and submit your findings to the DHS for a much smaller reward.

I have an insightful comment

[PPH]

But I have to fly in the next few days. And the TSA isn't noted for their sense of humor.

So I'm just going to refrain until I get back home.

Been in a similar situation

[houghi]

Years ago I saw some child porn, so as a good citizen I reported it, When nothing was done after a week, I informed the newspapers. The next day the child porn was gone. Me was happy.

Then came at my work (where I had done it all) the COO to me and asked me if he was allowed to give my details to the police, due to an investigation about child porn. So I explained him what has happened and I also showed the emails I had send. As I had done the right thing, I allowed to give my details.

I was then ordered by the police to go to them and they where after me for.
1) Obstruction of the law, because I informed the press about an ongoing investigation. "Oh, you send an email? Our mailserver is down at the moment, Sorry."
2) Spreading of childporn. "Oh, so you just did a reply on a message on Usenet where the URL was in saying that you would be reporting it? Ok, not that bad as it was already known, we guess."
3) Falsification of information "Yes, we understand that you gave fake information to a free email address."

So not only where they clueless, if I would have had a different COO, I could have been fired as they told that it was about child porn.

Since then I have not seen anything even remotely illegal on the Interwebs and I am sure that I never will.

Re: Let me think about this...

[TheMeuge]

Come on. This way the warrants write themselves... And come straight with a confession. It'll be Christmas day for the DHS and the FBI. Maximum arrests... minimum effort.