Security News > 2021 > December > ‘Hack DHS’ bug bounty program expands to Log4j security flaws

The Department of Homeland Security has announced that the 'Hack DHS' program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities.

The 'Hack DHS' bug bounty program was announced last week.

All reported security flaws will be verified by the DHS within 48 hours and be fixed in 15 days or more, depending on their complexity.

The DHS launched its first bug bounty pilot program in 2019 after the SECURE Technology Act was passed into law to require establishing a security vulnerability disclosure policy and a bug bounty program.

The decision to expand the 'Hack DHS' program comes on the heels of an emergency directive issued by CISA on Friday to order Federal Civilian Executive Branch agencies to patch the actively exploited and critical Log4Shell bug until December 23.

Together with cybersecurity agencies worldwide and other US federal agencies, CISA also issued a joint advisory with mitigation guidance on addressing the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j security flaws.

News URL

https://www.bleepingcomputer.com/news/security/hack-dhs-bug-bounty-program-expands-to-log4j-security-flaws/