Security News > 2021 > December > ‘Hack DHS’ bug bounty program expands to Log4j security flaws
The Department of Homeland Security has announced that the 'Hack DHS' program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities.
The 'Hack DHS' bug bounty program was announced last week.
All reported security flaws will be verified by the DHS within 48 hours and be fixed in 15 days or more, depending on their complexity.
The DHS launched its first bug bounty pilot program in 2019 after the SECURE Technology Act was passed into law to require establishing a security vulnerability disclosure policy and a bug bounty program.
The decision to expand the 'Hack DHS' program comes on the heels of an emergency directive issued by CISA on Friday to order Federal Civilian Executive Branch agencies to patch the actively exploited and critical Log4Shell bug until December 23.
Together with cybersecurity agencies worldwide and other US federal agencies, CISA also issued a joint advisory with mitigation guidance on addressing the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j security flaws.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-18 | CVE-2021-45105 | Uncontrolled Recursion vulnerability in multiple products Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. | 5.9 |
2021-12-14 | CVE-2021-45046 | Expression Language Injection vulnerability in multiple products It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. | 9.0 |
2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |