DHS Incentivizes Cyber Professionals to Hunt Down Log4j Vulnerabilities

The Department of Homeland Security is expanding the scope of its new bug bounty program to incentivize ethical hackers to find and patch log4j-related vulnerabilities in its systems.

The bug bounty program, announced by DHS Secretary Alejandro Mayorkas on Dec. 14, offers $500 to $5,000 in rewards for hackers depending on the severity of flaws that they spot on agency systems.

DHS’ move to include the log4j vulnerability in the program comes as nation states and cybercriminals exploit the emerging security flaw to target various groups, including the Belgian Ministry of Defense, The Hill reported Tuesday.

A spokesperson for the Belgian MoD detailed the attack in a local report Monday, saying the agency’s computer network was hacked and that officials have been unable to process requests online or answer queries via Facebook.

Security professionals are scrambling to patch the vulnerability in Apache logging library log4j. The vulnerability exposes users of Log4j versions 2.0-beta9 to 2.14.1 to unauthenticated remote code execution by adversaries.

The Cybersecurity and Infrastructure Security Agency already classified the flaw as a critical vulnerability and added the threat to its list of known exploited vulnerabilities to boost federal remediation efforts. CISA has given federal agencies until Friday to apply fixes.

Senior Biden administration cybersecurity officials Chris Inglis and Anne Neuberger also issued a joint letter warning company executives of hackers looking to take advantage of cyber vulnerabilities during the holiday season.