Hack DHS bug bounty expanded to include Log4j flaw

Homeland Security Secretary Alejandro Mayorkas on Tuesday announced that his department would broaden its new bug bounty program to incorporate vulnerabilities in its networks caused by the widely used Log4j software.

“In response to the recently discovered log4j vulnerabilities, @DHSgov is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems,” Mayorkas tweeted, referring to the effort that launched last week.

“In partnership with vetted hackers, the federal government will continue to secure nationwide systems and increase shared cyber resilience,” Mayorkas added.

The announcement is the latest attempt by federal officials to determine the scope, and the impact, of the Log4j flaw.

The Cybersecurity and Infrastructure Security Agency last week ordered federal agencies to take immediate steps to identify, patch, and mitigate Log4j vulnerabilities in their networks. 

Thus far, officials at the DHS cyber branch have said they have seen no signs of malicious actors using the vulnerability to breach the systems of federal departments and agencies but have warned of widespread attacks that utilize the flaw might still occur.

Last week, Mayorkas said security researchers participating in the bug bounty program would be paid anywhere from $500 to $5,000 "depending on the gravity of the vulnerability" they discover.