DHS expands bug bounty program to encourage hunting down Apache vulnerability

The Department of Homeland Security (DHS) is expanding its recently announced bug bounty program for cyber vulnerabilities to include incentives for hackers to hunt down issues related to the Apache logging library log4j vulnerability. 

The Hack DHS program, announced last week, will allow cybersecurity experts to hunt through some external DHS systems to find any vulnerabilities and to then receive payment for alerting DHS to those findings. 

“In response to the recently discovered log4j vulnerabilities, @DHSgov is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems,” DHS Secretary Alejandro Mayorkas tweeted Tuesday.

“In partnership with vetted hackers, the federal government will continue to secure nationwide systems and increase shared cyber resilience,” he added.

The urgency around the log4j vulnerability, first uncovered earlier this month, has left security professionals scrambling, as log4j is baked into the majority of systems used by organizations around the world. Nation states and cybercriminals alike have already used the vulnerability to target various groups, with the Belgian Ministry of Defense telling local media this week that it had been hacked by those using the log4j vulnerability.

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has been the key federal agency involved in responding to the vulnerability and working to ensure government agencies and private companies are aware of the threat. 

These efforts have included issuing an emergency directive last week ordering federal agencies to investigate and patch against the log4j vulnerability and holding calls with stakeholders on the security issue. Following a call Tuesday, CISA announced that nearly 5,000 individuals dialed in, with top leaders at the agency advising companies to take steps to secure their systems.