Thank you for being interested in keeping DHS IT systems secure! The Department of Homeland Security's Vulnerability Disclosure Program (VDP) policy can be found on the dhs.gov website.
Individuals outside of the Department should submit any vulnerabilities to the program, hosted on Bugcrowd: https://bugcrowd.com/engagements/dhs-vdp
Government employees can send an email to vulnerability.disclosure.prog[at]hq.dhs.gov if they need to report anything.