Department of Homeland Security: Vulnerability Disclosure Program

  • Safe harbor
  • Solo-Only

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 135
  • Validation within 16 days 75% of submissions are accepted or rejected within 16 days

Latest hall of famers

Recently joined this program

309 total

DHS has a unique information and communications technology footprint that is tightly interwoven and globally deployed. Many DHS technologies are deployed in critical infrastructure systems and, to varying degrees, support ongoing homeland security operations; the proper functioning of DHS systems and applications can have a life-or-death impact on DHS personnel and international allies and partners of the United States.

Our information systems provide critical services in support of the widespread, critical missions of DHS. Maintaining the security of our networks is a high priority at DHS. Ultimately, our network security ensures that we can accomplish our missions and contribute to the success of the individuals who contribute to the mission success.

DHS recognizes that security researchers regularly contribute to the work of securing organizations and the Internet as a whole. Therefore, DHS invites reports of any vulnerabilities discovered on internet-accessible DHS information systems, applications, and websites [1]. Information submitted to DHS under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks. This program upholds the DHS motto “See Something – Say Something” in the virtual environment by positively engaging with and establishing a communication loop between researchers and DHS.

Hereinafter, researcher [2] may be referred to as “you” or “your” and DHS may be interchangeably used in conjunction with or alternatively referenced as “we”, “our”, or “us”.

Scope

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.