Security News > 2021 > December > ‘Hack DHS’ bug bounty program expands to Log4j security flaws

‘Hack DHS’ bug bounty program expands to Log4j security flaws
2021-12-22 20:30

The Department of Homeland Security has announced that the 'Hack DHS' program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities.

The 'Hack DHS' bug bounty program was announced last week.

All reported security flaws will be verified by the DHS within 48 hours and be fixed in 15 days or more, depending on their complexity.

The DHS launched its first bug bounty pilot program in 2019 after the SECURE Technology Act was passed into law to require establishing a security vulnerability disclosure policy and a bug bounty program.

The decision to expand the 'Hack DHS' program comes on the heels of an emergency directive issued by CISA on Friday to order Federal Civilian Executive Branch agencies to patch the actively exploited and critical Log4Shell bug until December 23.

Together with cybersecurity agencies worldwide and other US federal agencies, CISA also issued a joint advisory with mitigation guidance on addressing the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j security flaws.


News URL

https://www.bleepingcomputer.com/news/security/hack-dhs-bug-bounty-program-expands-to-log4j-security-flaws/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-18 CVE-2021-45105 Uncontrolled Recursion vulnerability in multiple products
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups.
network
high complexity
apache netapp debian sonicwall oracle CWE-674
5.9
2021-12-14 CVE-2021-45046 Expression Language Injection vulnerability in multiple products
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
network
high complexity
apache intel cvat siemens debian sonicwall fedoraproject CWE-917
critical
9.0
2021-12-10 CVE-2021-44228 Deserialization of Untrusted Data vulnerability in multiple products
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
10.0