January 26, 2022

Homeland Safety Expands Its Hack DHS Bug Bounty As Log4j Menace Intensifies

hero hacker text on face

In case you’re studying this, you most likely do not have to be advised {that a} “bug bounty” is a money prize paid to safety researchers that discover a software program exploit. Non-USians would possibly have to be advised that “DHS” refers to the US Division of Homeland Safety. “Hack DHS” is the bug bounty program run by the company, and “Log4j” is a super-popular logging package deal utilized by 1000’s of functions that was lately hit by a essential safety exploit. All of us up to the mark now?

Kidding apart, whether or not you are an everyday reader of HotHardware or not, you are absolutely nicely conscious of the “Log4shell” safety exploit. First found as a chat prank in Minecraft, it was rapidly discovered that the flaw prolonged to an entire lot greater than only a blocky survival recreation. CISA, the US company in command of cybersecurity threats (and a subdivision of the DHS), remains to be on all-hands alert over the flaw, and Microsoft even remarked that state-sponsored hackers all over the world try to use Log4shell. AMD, NVIDIA, and Intel put out advisories for it, too.

The DHS arrange the Hack DHS program only a week in the past. The group did not say that it was in response to the Log4shell vulnerability, but it surely was a number of days after that flaw was publicly disclosed. (Then once more, the US authorities does not do something that rapidly.) This system, moderately than being an open bug bounty like these provided by many personal corporations, is as an alternative a closed program solely open to “vetted cybersecurity researchers” on an invitational foundation. The DHS will ask these “hackers” to research particular exterior DHS programs and determine vulnerabilities.

Hack DHS is going down all through FY 2022 in three phases. In part one, safety researchers will “conduct digital assessments on sure DHS exterior programs,” after which in part two, they’re going to take part in “a dwell, in-person hacking occasion.” Lastly, within the third part, the DHS will determine and evaluation the info, then maybe plan for future bug bounty packages.

Nicely, right now’s announcement comes instantly from CISA director Jen Easterly, who posted the information on Twitter. Primarily, it is merely that extra bounties are being added to the Hack DHS program for Log4j vulnerabilities. Whereas the first Log4j exploit has already been patched—twice, as a result of the unique patch was itself flawed—there are nonetheless functions that embrace Log4j which have but to be up to date. Likewise, there can all the time be particular person programs hanging round that have not been correctly patched.

In fact, it’s a must to be pre-selected for the Hack DHS program to be eligible for the bounties, which vary as much as $5,000 per bug. DHS says it’ll confirm the issues inside 48 hours of discovery and that they are going to be mounted in 15 days, or probably extra if the bugs are significantly extreme. If you would like to see what CISA has to say on the subject of Log4shell and associated exploits, the company maintains a web page for vulnerability steerage.

Leave a Reply

Your email address will not be published.