Reward
Program
Hacktivity
Project
Apache Log4j(TM) is a versatile, industrial-grade Java logging framework composed of an API, its implementation, and components to assist the deployment for various use cases.
Log4j is used by 8% of the Maven ecosystem and is listed by the OpenSSF as one of the top 100 critical open-source software projects.
The project is actively maintained by a team of several volunteers and supported by a big community.
We are committed to protecting the security of our users and preventing the next Log4Shell by not only focusing on high-quality software but also improving
our security processes and practices.
With this bug bounty program, we aim to encourage security researchers to help us identify and fix security vulnerabilities in the Apache Log4j project.
This bug bounty program is paid for by the Bug Resilience Program.
Program Rules
We encourage all security researchers who identify weaknesses in our software to read about our security page first: Security Page
- It already provides much information about how to report security vulnerabilities to us.
All security issues that are reported using this program are fairly rewarded.
You cannot attack our infrastructure, including our source code repositories.
We must be able to reproduce the system in our setup. We will not reward reports that we cannot reproduce.
We cannot reward duplicate reports. We will reward the first report of a vulnerability, which includes reports received outside of this program.
The triage team will use the "One Fix, One Reward" principle: if one or more components can be fixed using a single fix, only one issue will be eligible for a reward. All other reports will be closed as informative.
Please note that this process also applies across all the branches we maintain.
Important precautions and limitations
As a complement to the program rules and testing policy:
- Do not include personal information in your reports.
- Do not include secret materials, such as SSH keys, passwords, or other sensitive information.
Please consider that your report will be made public at some point.
Please let us know if you have special requirements regarding your identity or the report.
Scopes
Projects:
- log4j 2.x: the Log4j project version 2.x
- log4j kotlin: the log4j Kotlin API
- log4j scala: the log4j Scala API
- log4net: the log4j port to .NET
- log4cxx: the log4j port to C++
Some components are out-of-scope, as described in this program's "out of scope" part.
Other project repositories are out-of-scope. The 3.x (main) branch of Log4j is currently out of scope and will be added when the first stable release is published:
- log4j 3.x: the Log4j project version 3.x
The log4j-parent is considered out of scope since it is used for building the software only:
- log4j parent: the log4j maven modules for building
Eligibility
We thank everyone who submits valid reports.
However, only those who meet the following requirements can receive monetary rewards:
- You must be the first reporter
- The vulnerability must be qualifying
- You send a clear, textual description that can be reproduced, including all necessary attachments. PoC code in the form of a unit test is appreciated and recommended.
- You must not be a committer to the Apache Logging Services project.
- You are not an employee of Grobmeier Solutions GmbH or its contractors.
- Your PoC must be against against the default branch of the project, except stated otherwise.
Rating and Responsible Disclosure
The triage team will rate all security reports sent here.
Once confirmed, we will follow the CVE process and forward the report to the Apache Security Team as described in the Apache Security page.
All vulnerabilities will be rated and disclosed after sufficient time has passed.
We will publish advisories on our mailing lists and the Apache Logging Services website.
Please keep the information you have received private until we have published the advisory. Don't disclose the information to others.
We will include researcher credits if requested.
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| €500 | €3,000 | €5,000 | €10,000 | |
| €250 | €1,500 | €2,500 | €5,000 | |
| €100 | €750 | €1,250 | €2,500 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
| Log4j 2.x | other | ||
Low Medium High Critical | |||
| Log4j API for Kotlin | other | ||
Low Medium High Critical | |||
| Log4j API for Scala | other | ||
Low Medium High Critical | |||
| Log4cxx | other | ||
Low Medium High Critical | |||
| Log4net | other | ||
Low Medium High Critical | |||
Out of scopes
- https://logging.apache.org
- Anything related to mailing lists or other ASF infrastructure topics.
- Cassandra Appender
- Kafka Appender
- CouchDB components
- JSP Tag library
- Everything which is excluded on this page is also out-of-scope: https://logging.apache.org/security.html
Vulnerability types
Qualifying vulnerabilities
- Log injections
- Log event loss
- Memory safety
- Remote code execution
- Deadlocks
- DOS
Non-qualifying vulnerabilities
- Everything excluded on this page: https://logging.apache.org/security.html
- Log injection for unstructured layouts (PatternLayout)
- Everything not in the qualifying vulnerabilities list is not accepted
- Issues only found in outdated versions of our software
- Issues found in dependencies
- Attacks that incorrectly use our API
- Everything related to performance tests or general testing of the project
- Everything related to the build of the project or general infrastructure topics
- Programmatic configuration that is used outside the recommendations does not qualify
- Already known vulnerabilities
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
