‘Hack DHS’ bug bounty program expands to Log4j security flaws

Image: DHS / BleepingComputer

The Department of Homeland Security (DHS) has announced that the ‘Hack DHS’ program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities.

“In response to the recently discovered log4j vulnerabilities, @DHSgov  is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems,” tweeted DHS Secretary Alejandro N. Mayorkas.

“In partnership with vetted hackers, the federal government will continue to secure nationwide systems and increase shared cyber resilience.”

The ‘Hack DHS’ bug bounty program was announced last week. It allows vetted cybersecurity researchers to find and report vulnerabilities in external DHS systems, earning rewards of up to $5,000 per reported bug.

Hackers enrolled in this program are required to disclose their findings together with detailed info on the vulnerability, how attackers can potentially exploit it, and how threat actors could use it to access information from DHS systems.

All reported security flaws will be verified by the DHS within 48 hours and be fixed in 15 days or more, depending on their complexity.

The DHS launched its first bug bounty pilot program in 2019 after the SECURE Technology Act was passed into law to require establishing a security vulnerability disclosure policy and a bug bounty program.

The decision to expand the ‘Hack DHS’ program comes on the heels of an emergency directive issued by CISA on Friday to order Federal Civilian Executive Branch agencies to patch the actively exploited and critical Log4Shell bug until December 23.

The federal agencies were given five more days until December 28 to report impacted Java products in their environments, including app and vendor names, the apps’ versions, and the actions taken to block exploitation attempts.

CISA provides a dedicated page for the Log4Shell flaw with patching information for vendors and affected organizations, and today the agency released a Log4j scanner to find vulnerable apps.

Together with cybersecurity agencies worldwide and other US federal agencies, CISA also issued a joint advisory with mitigation guidance on addressing the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j security flaws.