The US Department of Homeland Security (DHS) is expanding its newly launched bug bounty program to include the now-infamous Apache-bound Log4j flaws. New perks for bug hunters are also included.
“In response to the recently discovered log4j vulnerabilities, @DHSgov is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems,” reads the announcement tweeted by Secretary Alejandro Mayorkas.
Kicked off last week, ‘Hack DHS’ encourages ethical hackers to identify cybersecurity vulnerabilities within certain DHS systems to reinforce the Department’s cybersecurity resilience.
Notably, the program is open solely to ‘vetted’ cybersecurity researchers.
“Through Hack DHS, vetted cybersecurity researchers who have been invited to access select external DHS systems will identify vulnerabilities that could be exploited by bad actors so they can be patched. These hackers will be rewarded with payments for the bugs they identify,” the DHS said last week.
The program leverages a platform created by the Cybersecurity and Infrastructure Security Agency (CISA) and is governed by strict rules of engagement. Researchers are to disclose their findings to DHS system owners and provide workable proofs of concept. In typical bug bounty manner, hackers identifying the most severe flaws stand to earn the highest bounties.
CISA Director Jen Easterly applauds the decision to include hunting for Log4j bugs.
“Huge thanks to the researcher community taking part in this program. Log4j is a global threat & it’s great to have some of the world’s best helping us keep orgs safe,” Easterly tweeted.
Bitdefender has an in-depth technical advisory of the critical Log4j flaw, which can be accessed here.