HackDHS bug bounty program accepts reports of Log4j-related flaws in DHS systems

The DHS has announced that it is expanding the ‘Hack DHS’ bug bounty program to report for Log4J impacting its systems.

The Department of Homeland Security (DHS) announced that white hat hackers can now report the impact of the Log4J on its systems as part of the ‘Hack DHS‘ bug bounty program.

Below is the announcement of DHS Secretary Alejandro N. Mayorkas.

The Department of Homeland Security (DHS) has launched the ‘Hack DHS’ bug bounty program last week to allow vetted white hat hackers to discover and report security vulnerabilities in external DHS systems.

The Hack DHS bug bounty program will occur in three phases throughout Fiscal Year 2022. During the first phase, researchers will perform remote vulnerability assessments on certain DHS external systems. In the second phase, the experts will participate in a live, in-person hacking event, while in the third phase, DHS will identify and review lessons learned, and plan for future bug bounties.

The new bug bounty program will use a platform developed by the Cybersecurity and Infrastructure Security Agency (CISA) and will be monitored by the DHS Office of the Chief Information Officer.

Participants to the Hack DHS will receive rewards between $500 and $5,000 for each reported issue depending on its severity. 

DHS will verify reported security vulnerabilities within 48 hours and will address them in 15 days or more, depending on the effort needed to address them.

Government experts are aware that nation-state actors started exploiting the Log4J vulnerability after the public disclosure

Last week, CISA added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including the Log4Shell Log4j. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies are required to address this vulnerability by December 24.

The federal agencies have additional five days to address the flaw in their infrastructure.

CISA also published an Apache Log4j Vulnerability Guidance for vendors and affected organizations, it also released an open-source Log4j scanner for identifying web services impacted by Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4J)

[adrotate banner=”5″]

[adrotate banner=”13″]