avatar
Bug bounty
Public

Apache Log4j - Bug Bounty Program

Securing Open Source Ecosystem

Reward

Bounty
Hall of fame
€100
Low
€500
Medium
€3,000
High
€5,000
Critical
€10,000

Program

Avg reward
-
Max reward
-
Scopes
5

Supported languages
English

Hacktivity

Reports
1
1st response
< 1 day
Reports last 24h
-
Reports last week
-
Reports this month
-

Project

Apache Log4j(TM) is a versatile, industrial-grade Java logging framework composed of an API, its implementation, and components to assist the deployment for various use cases.
Log4j is used by 8% of the Maven ecosystem and is listed by the OpenSSF as one of the top 100 critical open-source software projects.
The project is actively maintained by a team of several volunteers and supported by a big community.

We are committed to protecting the security of our users and preventing the next Log4Shell by not only focusing on high-quality software but also improving
our security processes and practices.

With this bug bounty program, we aim to encourage security researchers to help us identify and fix security vulnerabilities in the Apache Log4j project.

This bug bounty program is paid for by the Bug Resilience Program.

Program Rules

We encourage all security researchers who identify weaknesses in our software to read about our security page first: Security Page

  • It already provides much information about how to report security vulnerabilities to us.

All security issues that are reported using this program are fairly rewarded.

You cannot attack our infrastructure, including our source code repositories.

We must be able to reproduce the system in our setup. We will not reward reports that we cannot reproduce.

We cannot reward duplicate reports. We will reward the first report of a vulnerability, which includes reports received outside of this program.

The triage team will use the "One Fix, One Reward" principle: if one or more components can be fixed using a single fix, only one issue will be eligible for a reward. All other reports will be closed as informative.

Please note that this process also applies across all the branches we maintain.

Important precautions and limitations

As a complement to the program rules and testing policy:

  • Do not include personal information in your reports.
  • Do not include secret materials, such as SSH keys, passwords, or other sensitive information.

Please consider that your report will be made public at some point.

Please let us know if you have special requirements regarding your identity or the report.

Scopes

Projects:

Some components are out-of-scope, as described in this program's "out of scope" part.

Other project repositories are out-of-scope. The 3.x (main) branch of Log4j is currently out of scope and will be added when the first stable release is published:

The log4j-parent is considered out of scope since it is used for building the software only:

Eligibility

We thank everyone who submits valid reports.
However, only those who meet the following requirements can receive monetary rewards:

  • You must be the first reporter
  • The vulnerability must be qualifying
  • You send a clear, textual description that can be reproduced, including all necessary attachments. PoC code in the form of a unit test is appreciated and recommended.
  • You must not be a committer to the Apache Logging Services project.
  • You are not an employee of Grobmeier Solutions GmbH or its contractors.
  • Your PoC must be against against the default branch of the project, except stated otherwise.

Rating and Responsible Disclosure

The triage team will rate all security reports sent here.
Once confirmed, we will follow the CVE process and forward the report to the Apache Security Team as described in the Apache Security page.

All vulnerabilities will be rated and disclosed after sufficient time has passed.

We will publish advisories on our mailing lists and the Apache Logging Services website.

Please keep the information you have received private until we have published the advisory. Don't disclose the information to others.

We will include researcher credits if requested.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
€500€3,000€5,000€10,000
Medium
€250€1,500€2,500€5,000
Low
€100€750€1,250€2,500

Scopes

ScopeTypeAsset value
Log4j 2.x other
Critical
Low
€500
Medium
€3,000
High
€5,000
Critical
€10,000
Log4j API for Kotlin other
Medium
Low
€250
Medium
€1,500
High
€2,500
Critical
€5,000
Log4j API for Scala other
Medium
Low
€250
Medium
€1,500
High
€2,500
Critical
€5,000
Log4cxx other
Low
Low
€100
Medium
€750
High
€1,250
Critical
€2,500
Log4net other
Low
Low
€100
Medium
€750
High
€1,250
Critical
€2,500

Out of scopes

  • https://logging.apache.org
  • Anything related to mailing lists or other ASF infrastructure topics.
  • Cassandra Appender
  • Kafka Appender
  • CouchDB components
  • JSP Tag library
  • Everything which is excluded on this page is also out-of-scope: https://logging.apache.org/security.html

Vulnerability types

Qualifying vulnerabilities

  • Log injections
  • Log event loss
  • Memory safety
  • Remote code execution
  • Deadlocks
  • DOS

Non-qualifying vulnerabilities

  • Everything excluded on this page: https://logging.apache.org/security.html
  • Log injection for unstructured layouts (PatternLayout)
  • Everything not in the qualifying vulnerabilities list is not accepted
  • Issues only found in outdated versions of our software
  • Issues found in dependencies
  • Attacks that incorrectly use our API
  • Everything related to performance tests or general testing of the project
  • Everything related to the build of the project or general infrastructure topics
  • Programmatic configuration that is used outside the recommendations does not qualify
  • Already known vulnerabilities

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.