DHS questions vulnerability disclosure program

Undiscovered vulnerabilities in agency information systems could be exploited by nation-states or hackers.
Hacker using laptop. Lots of digits on the computer screen.

The Department of Homeland Security plans to collect information on security vulnerabilities in its information systems and wants to know if its methods are sound.

Section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act requires DHS to establish a Vulnerability Disclosure Program. Undiscovered vulnerabilities could be exploited by nation-states or hackers to steal personally identifiable information or manipulate data.

People, organizations and companies will be able to submit vulnerabilities they find in the department’s systems to DHS in a “safe and lawful way” while honing their skills, according to a notice in the Federal Register.

“In addition, without the ability to collect information on newly discovered security vulnerabilities in DHS information systems, the DHS will rely solely on the internal security personnel and or discovery through post occurrence of such a breach on security controls,” reads the notice.


The program will use a form allowing submitters to share vulnerable hosts, information needed to reproduce the bug, suggestions on how to mitigate the problem, and the predicted impact if nothing is done.

Zero-day vulnerabilities, those unknown to DHS, are of particular concern.

DHS anticipated about 3,000 responses each taking three hours to ingest for a 9,000-hour burden. The agency wants to know if potential program participants think collection is even necessary, the estimated burden is accurate, the information sought can be expanded, and automated or electronic submission is needed.

Comments are being accepted until Oct. 28, and the form will ultimately be posted on DHS’s website in addition to those of its subsidiary agencies like the Transportation Security Administration and Immigration and Customs Enforcement.

Congress continues to consider the creation of a DHS bug bounty program, expected to cost $44 million, rewarding independent researchers who find software and hardware vulnerabilities with payouts.

Dave Nyczepir

Written by Dave Nyczepir

Dave Nyczepir is a technology reporter for FedScoop. He was previously the news editor for Route Fifty and, before that, the education reporter for The Desert Sun newspaper in Palm Springs, California. He covered the 2012 campaign cycle as the staff writer for Campaigns & Elections magazine and Maryland’s 2012 legislative session as the politics reporter for Capital News Service at the University of Maryland, College Park, where he earned his master’s of journalism.

Latest Podcasts