Log4J added to DHS bug bounty program

Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly and Homeland Security Secretary Alejandro Mayorkas announced the expansion of the “Hack DHS” bug bounty program, noting on Twitter that it will now include vulnerabilities related to Log4J. 

“We opened our HackDHS bug bounty program to find and patch Log4j-related vulnerabilities in our systems,” Easterly said. “Huge thanks to the researcher community taking part in this program. Log4j is a global threat and it’s great to have some of the world’s best helping us keep orgs safe.”

On December 14, the Homeland Security Department announced the bug bounty program as a way to identify cybersecurity gaps and vulnerabilities in their systems. They gave “vetted” cybersecurity researchers access to “select external DHS systems” and asked them to find bugs. 

Secretary Alejandro Mayorkas called DHS the “federal government’s cybersecurity quarterback” and said the program “incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”  

“This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity,” Mayorkas said. 

In the original outline of the program, DHS planned for the bug bounty effort to occur in three different phases in 2022. Once the hackers finished conducting a virtual assessment of DHS external systems, they will be invited to take part in a live, in-person hacking event.

The last phase involved DHS taking the recommendations and planning for the next bug bounty programs. DHS intends to make the program something any government agency could do. 

“Hack DHS, which will leverage a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA), will be governed by several rules of engagement and monitored by the DHS Office of the Chief Information Officer.  Hackers will disclose their findings to DHS system owners and leadership, including what the vulnerability is, how they exploited it, and how it might allow other actors to access information,” DHS explained.  

“The bounty for identifying each bug is determined by using a sliding scale, with hackers earning the highest bounties for identifying the most severe bugs. Hack DHS builds on the best practices learned from similar, widely implemented initiatives across the private sector and the federal government, such as the Department of Defense’s ‘Hack the Pentagon’ program.”  

This won’t be the first bug bounty program run by DHS. They ran a pilot program of the effort in 2019 after legislation was passed thanks to the bipartisan coalition behind the SECURE Technology Act. DHS explained that the law allows them to pay people chosen to evaluate DHS systems by mimicking hacker behavior.