The US Department of Homeland Security has expanded the scope of the HackDHS bug bounty program to include Log4j. Researchers can now report their findings to DHS about the impact of Log4j on its network under this program.
HackDHS Bug Bounty Expands To Include Log4j Vulnerability
The US DHS recently launched a dedicated bug bounty program entitled “HackDHS” to strengthen DHS security.
As elaborated in its post, this bug bounty program invites bug reports from researchers regarding vulnerabilities in DHS systems. The HackDHS will run in three phases, letting select researchers test DHS systems to find and report bugs.
Hack DHS will occur in three phases throughout Fiscal Year 2022, with the goal of developing a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience. During phase one, hackers will conduct virtual assessments on certain DHS external systems. During the second phase, hackers will participate in a live, in-person hacking event. During the third and final phase, DHS will identify and review lessons learned, and plan for future bug bounties.
Shortly after this rollout, the DHS has now announced expanding the scope of this bug bounty program to include Log4j-related bugs. This decision surfaced online in the wake of the recently discovered Log4Shell vulnerability that has jolted up the internet world.
The Director US Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, and the Homeland Security Secretary, Alejandro Mayorkas, have separately announced it in their tweets.
UPDATE! We opened our #HackDHS bug bounty program to find & patch Log4j-related vulnerabilities in our systems. Huge thanks to the researcher community taking part in this program. Log4j is a global threat & it’s great to have some of the world’s best helping us keep orgs safe. https://t.co/lXcQ2nOH3a
— Jen Easterly (@CISAJen) December 22, 2021
In response to the recently discovered log4j vulnerabilities, @DHSgov is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems.
— Secretary Alejandro Mayorkas (@SecMayorkas) December 21, 2021
Given the increasing risks associated with Log4j bugs, mainly the Log4Shell exploit, this decision employs a timely and much-needed step.
Although, Apache has already rolled out the patches for the critical Log4shell vulnerability with Log4j version 2.17.0. Still, the huge extent of systems still vulnerable (or unpatched), and the potential existence of other unknown bugs that might catch the attention of criminals, demand vigilant monitoring of systems against such vulnerabilities.
Recently, Google has also enhanced its OSS-Fuzz tool to detect Log4j bugs to help the community.
Let us know your thoughts in the comments.