Register now for better personalized quote!

Log4j added to DHS bug bounty program

Dec, 22, 2021 Hi-network.com

Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly and Homeland Security Secretary Alejandro Mayorkas announced the expansion of the "Hack DHS" bug bounty program, noting on Twitter that it will now include vulnerabilities related to Log4j. 

"We opened our HackDHS bug bounty program to find and patch Log4j-related vulnerabilities in our systems," Easterly said. "Huge thanks to the researcher community taking part in this program. Log4j is a global threat and it's great to have some of the world's best helping us keep orgs safe."

more Log4j

  • Log4j zero-day: How to protect yourself
  • Apache releases new 2.17.0 patch
  • Security firm discovers new attack vector
  • 10 questions you need to be asking
  • Governments release Log4j advisory
  • So far, nearly half of corporate networks have been attacked
  • US: Hundreds of millions of devices at risk

On December 14, the Homeland Security Department announced the bug bounty program as a way to identify cybersecurity gaps and vulnerabilities in their systems. They gave "vetted" cybersecurity researchers access to "select external DHS systems" and asked them to find bugs. 

Secretary Alejandro Mayorkas called DHS the "federal government's cybersecurity quarterback" and said the program "incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors."  

"This program is one example of how the Department is partnering with the community to help protect our Nation's cybersecurity," Mayorkas said. 

In the original outline of the program, DHS planned for the bug bounty effort to occur in three different phases in 2022. Once the hackers finished conducting a virtual assessment of DHS external systems, they will be invited to take part in a live, in-person hacking event.

The last phase involved DHS taking the recommendations and planning for the next bug bounty programs. DHS intends to make the program something any government agency could do. 

"Hack DHS, which will leverage a platform created by the Department's Cybersecurity and Infrastructure Security Agency (CISA), will be governed by several rules of engagement and monitored by the DHS Office of the Chief Information Officer.  Hackers will disclose their findings to DHS system owners and leadership, including what the vulnerability is, how they exploited it, and how it might allow other actors to access information," DHS explained.  

"The bounty for identifying each bug is determined by using a sliding scale, with hackers earning the highest bounties for identifying the most severe bugs. Hack DHS builds on the best practices learned from similar, widely implemented initiatives across the private sector and the federal government, such as the Department of Defense's 'Hack the Pentagon' program."  

This won't be the first bug bounty program run by DHS. They ran a pilot program of the effort in 2019 after legislation was passed thanks to the bipartisan coalition behind the SECURE Technology Act. DHS explained that the law allows them to pay people chosen to evaluate DHS systems by mimicking hacker behavior.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Government Government: US

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.