A Department of Homeland Security bug bounty program, as proposed by legislation being considered in the House, would cost $44 million, according to the Congressional Budget Office.
On July 17, the House Committee on Homeland Security requested CBO perform a cost estimate of H.R. 3710, the Cybersecurity Vulnerability Remediation Act, which calls for DHS to establish a bug bounty program.
“H.R. 3710 would give DHS broad latitude in establishing the criteria under which it would provide cash payments,” reads CBO’s report from Aug. 1. “CBO assumes that the department would limit payments to actions that protect government systems.”
Bug bounty programs encourage independent researchers to identify and report cybersecurity vulnerabilities in software and hardware in return for a monetary reward.
Based on similar programs at agencies like the General Services Administration, which offers $150 to $5,000 per vulnerability identified depending on how critical the target is to operations, CBO estimated a DHS program would cost $11 million a year. But DHS wouldn’t be ready to implement a bug bounty program until 2021, and the legislation covers years 2019-24 — hence the $44 million price tag.
The cost becomes less certain if DHS broadens its criteria for awarding payments.
“The budgetary effects of the bill would be significantly larger than this estimate if DHS also provides payments for actions that protect nonfederal systems,” reads the CBO report.
Three separate DHS bug bounties were proposed in 2018 bills.
DHS already manages programs that help system administrators, software manufacturers and the public identify cybersecurity vulnerabilities. The Common Vulnerabilities and Exposures program helps software vendors find risks and explain their ramifications to agencies.
H.R. 3710 would also authorize DHS to share vulnerability information with the public.
Bug bounties have become wildly popular with military services and the Department of Defense. Just last week, the Air Force announced the results of its latest bounty, in which it invited “white hat” hackers to seek out flaws in its Common Computing Environment. The service partnered with third-party firm Bugcrowd to pay out cash for the 54 flaws hackers discovered.