The Department of Homeland Security (DHS) disclosed that bug bounty hunters eager to track down DHS systems afflicted by Log4j vulnerabilities can now participate in the ‘Hack DHS’ program.
“In response to the recently discovered log4j vulnerabilities, @DHSgov is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems,” tweeted DHS Secretary Alejandro N. Mayorkas.
“In partnership with vetted hackers, the federal government will continue to secure nationwide systems and increase shared cyber resilience.”
Last week, the ‘Hack DHS’ bug reward program was revealed. It lets approved cybersecurity researchers uncover and disclose vulnerabilities in external DHS systems, with up to $5,000 in prizes for each bug identified.
Hackers engaged in this program must report their findings, including extensive information on the vulnerability, how attackers can exploit it, and how threat actors might employ it to gain access to DHS systems. The DHS will verify all reported security weaknesses within 48 hours and repair them in 15 days or more, depending on their severity.
Following the passage of the SECURE Technology Act, which mandated the creation of a security vulnerability disclosure policy and a bug reward program, the DHS started its first bug bounty pilot program in 2019.
The decision to broaden the ‘Hack DHS’ initiative comes after CISA issued an emergency directive instructing Federal Civilian Executive Branch entities to fix the actively exploited and serious Log4Shell problem by December 23. Federal agencies have until December 28 to disclose affected Java products in their environments, including app and vendor names, app versions, and steps to prevent exploitation efforts.
CISA has a dedicated page for the Log4Shell problem, which includes patching information for manufacturers and impacted organizations, and the agency has also published a Log4j scanner to identify susceptible programs.
CISA also published a joint advisory with mitigation instructions on resolving the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j security issues, in collaboration with other cybersecurity authorities around the world and other US federal entities.