Big hunters have already submitted thousands of vulnerability reports related to the Apache Log4j bug that continues to send shockwaves through the global software ecosystem.
The critical, CVSS 10-rated flaw in Log4j, an open-source Java logging library, allows cybercriminals to launch remote code execution (RCE) attacks against an arguably unparalleled number of potential targets.
Less than two weeks since the bug was publicly disclosed, more than 500 hackers have submitted close to 1,700 reports to over 400 programs on HackerOne alone, The US-based platform says that “during the initial peak” day for submissions, nearly 30% of hackers submitted vulnerability reports related to ‘Log4Shell’, as the bombshell bug has been dubbed.
Bugcrowd says it too has validated and triaged thousands of Log4j-related submissions since the crisis erupted. Paris-based bug bounty platform YesWeHack says it received 140 reports during the first week following Log4Shell’s disclosure on December 9. Over the weekend that followed the disclosure, fellow European platform Intigriti said it evaluated more than 130 such reports.
Increased automatization and reconnaissance tooling allow for prompt detection and quick coverage of wide attack surfaces, faster than most of our customers could act
The rapid response of bug hunters could hardly be more valuable given the widespread in-the-wild exploitation of a flaw. The issue, which was complicated by a bypass of the initial patch, affects numerous Apache projects, as well as consumer and enterprise applications from the likes of Microsoft, Cisco, and Google.
The bug bounty model is proving a vital part of a layered defense during the crisis, the platforms argue. Bug bounty is an active approach to security that involves tens, hundreds or even thousands of researchers, and can be of great help as organizations scramble to address this critical flaw with limited internal resources and time.