Homeland Security Expands Its Hack DHS Bug Bounty As Log4j Threat Intensifies

hero hacker text on face
If you're reading this, you probably don't need to be told that a "bug bounty" is a cash prize paid to security researchers that find a software exploit. Non-USians might need to be told that "DHS" refers to the United States Department of Homeland Security. "Hack DHS" is the bug bounty program run by the agency, and "Log4j" is a super-popular logging package used by thousands of applications that was recently hit by a critical security exploit. We all up to speed now?

Kidding aside, whether you're a regular reader of HotHardware or not, you're surely well aware of the "Log4shell" security exploit. First discovered as a chat prank in Minecraft, it was quickly found that the flaw extended to a whole lot more than just a blocky survival game. CISA, the US agency in charge of cybersecurity threats (and a subdivision of the DHS), is still on all-hands alert over the flaw, and Microsoft even remarked that state-sponsored hackers around the world are trying to exploit Log4shell. AMD, NVIDIA, and Intel put out advisories for it, too.

The DHS set up the Hack DHS program just a week ago. The group didn't say that it was in response to the Log4shell vulnerability, but it was several days after that flaw was publicly disclosed. (Then again, the US government doesn't do anything that quickly.) The program, rather than being an open bug bounty like those offered by many private companies, is instead a closed program only open to "vetted cybersecurity researchers" on an invitational basis. The DHS will ask these "hackers" to investigate specific external DHS systems and identify vulnerabilities.

Hack DHS is taking place throughout FY 2022 in three phases. In phase one, security researchers will "conduct virtual assessments on certain DHS external systems," and then in phase two, they'll participate in "a live, in-person hacking event." Finally, in the third phase, the DHS will identify and review the data, then perhaps plan for future bug bounty programs.

Well, today's announcement comes directly from CISA director Jen Easterly, who posted the news on Twitter. Essentially, it's simply that additional bounties are being added to the Hack DHS program for Log4j vulnerabilities. While the primary Log4j exploit has already been patched—twice, because the original patch was itself flawed—there are still applications that include Log4j that have yet to be updated. Likewise, there can always be individual systems hanging around that haven't been properly patched.

Of course, you have to be pre-selected for the Hack DHS program to be eligible for the bounties, which range up to $5,000 per bug. DHS says it will verify the flaws within 48 hours of discovery and that they will be fixed in 15 days, or possibly more if the bugs are particularly severe. If you'd like to see what CISA has to say on the topic of Log4shell and related exploits, the agency maintains a page for vulnerability guidance.