The Log4j vulnerabilities discovered in December 2021 have captured the attention of cybersecurity professionals, as the free-to-use security tool lives on hundreds of millions of devices that could now be compromised.
The U.S. Department of Defense (DoD) is particularly concerned with the vulnerabilities, as there are potentially thousands of public-facing military websites that were exposed.
To address the issue, the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Homeland Security (DHS) announced Log4j vulnerabilities would be included in the "HackDHS" bug bounty program.
Almost immediately, roughly 50 vetted cybersecurity researchers were told to analyze all .mil websites and report on any potential exploits related to Log4j.
Katie Olson, Acting Director of Defense Digital Service (DDS), recently discussed with the The Record:
"It was a really quick effort, and a really elegant solution, to use a contract that we already had in place with the crowdsource research community to very quickly do a scan of what might be affected within the DoD," Olson said.
The crowdsourced efforts have proved successful so far. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, discussed that success, noting researchers helped remediate 17 previously unidentified assets that were vulnerable to Log4j:
"It demonstrated the extraordinary power of crowdsourcing the research community to help not only the U.S. government but the broader nation find vulnerabilities before the adversary can use them," Goldstein said.
As for the rewards to the bug bounty hunters, DDS says it will pay $500 for each discovered vulnerability and an extra $500 if it's proven the vulnerability can be exploited.
Every discovery is referred to the DoD's Cyber Crime Center and is then shared with the Joint Force Headquarters-Department of Defense Information Network for remediation.
For more information on the Log4j bug bounties, see the story from The Record.