2026-07-15 22:10:28 Maryland’s ‘bug bounty’ helps detect vulnerabilities on the state’s websites – NEW WTOP Skip to main content

Maryland’s ‘bug bounty’ helps detect vulnerabilities on the state’s websites

The state of Maryland has unleashed a team of computer experts and enthusiasts on a number of the state’s websites. The mission: to see if they could find weak spots in the state’s domains that end in “maryland.gov,” “md.gov” or “state.md.us.”

“We found more than 40 vulnerabilities,” said Chris Krawiec, senior director of cyber resilience with the Maryland Department of Information Technology.

When asked about where those weak spots on the state’s websites were found, Krawiec told WTOP he “can’t speak on specifics on vulnerabilities for security reasons, but what I can say is that largely speaking, all of our agency partners were very responsive.”

The goal is to plug any holes in security that could present a security risk, including something like “an exposure of resident data,” Krawiec said.

Krawiec explained that the “bug bounty” method of detecting problems with security on the state’s websites is similar to the model used by federal agencies, where participants are hired to find bugs and are only paid if they do detect them.

“When we do a bug bounty, it’s a pay-for-performance type style engagement,” he said, where the researchers are not paid unless they find a vulnerability.

When it comes to the cost of remediation, Krawiec said, “These are generally assets or applications that are already being managed by their state agencies or our partners in this program,” so there’s not typically an extra cost associated with instituting the fixes.

Krawiec said that the recent study of the state’s cybersecurity status is a first for the state.

“It is definitely something that we’re considering expanding,” he said.

The bug bounty approach to scouring the state’s websites is something that’s been used at the federal level, Krawiec told WTOP. And it’s very cost-effective, at about $100,000.

“From a cost perspective,” Krawiec said, “that’s testing almost the entirety of the public-facing infrastructure of the state for $100,000.”

Md. Labor Department says unsafe agency workplace ultimately led to parole agent’s death

Maryland’s public safety department maintains an unsafe workplace that puts employees’ safety at risk and ultimately led to the May 31 killing of Parole Agent Davis Martinez while he was checking in on a parolee. That was the finding of a citation issued by the Maryland Department of Labor, which said that the Department of Public Safety and Correctional Services’ failures exposed its workers to physical threats “such as being shot, punched, kicked, scratched, stabbed, strangled, bit and/or spit on.”
Read Next Story