Apache Log4j - Bug Bounty Program

Project

Apache Log4j(TM) is a versatile, industrial-grade Java logging framework composed of an API, its implementation, and components to assist the deployment for various use cases.
Log4j is used by 8% of the Maven ecosystem and is listed by the OpenSSF as one of the top 100 critical open-source software projects.
The project is actively maintained by a team of several volunteers and supported by a big community.

We are committed to protecting the security of our users and preventing the next Log4Shell by not only focusing on high-quality software but also improving
our security processes and practices.

With this bug bounty program, we aim to encourage security researchers to help us identify and fix security vulnerabilities in the Apache Log4j project.

This bug bounty program is paid for by the Bug Resilience Program.

Program Rules

We encourage all security researchers who identify weaknesses in our software to read about our security page first: Security Page

• It already provides much information about how to report security vulnerabilities to us.

All security issues that are reported using this program are fairly rewarded.

You cannot attack our infrastructure, including our source code repositories.

We must be able to reproduce the system in our setup. We will not reward reports that we cannot reproduce.

We cannot reward duplicate reports. We will reward the first report of a vulnerability, which includes reports received outside of this program.

The triage team will use the "One Fix, One Reward" principle: if one or more components can be fixed using a single fix, only one issue will be eligible for a reward. All other reports will be closed as informative.

Please note that this process also applies across all the branches we maintain.

Important precautions and limitations

As a complement to the program rules and testing policy:

• Do not include personal information in your reports.
• Do not include secret materials, such as SSH keys, passwords, or other sensitive information.

Please consider that your report will be made public at some point.

Please let us know if you have special requirements regarding your identity or the report.

Scopes

Projects:

• log4j 2.x: the Log4j project version 2.x
• log4j kotlin: the log4j Kotlin API
• log4j scala: the log4j Scala API
• log4net: the log4j port to .NET
• log4cxx: the log4j port to C++

Some components are out-of-scope, as described in this program's "out of scope" part.

Other project repositories are out-of-scope. The 3.x (main) branch of Log4j is currently out of scope and will be added when the first stable release is published:

• log4j 3.x: the Log4j project version 3.x

The log4j-parent is considered out of scope since it is used for building the software only:

• log4j parent: the log4j maven modules for building

Eligibility

We thank everyone who submits valid reports.
However, only those who meet the following requirements can receive monetary rewards:

• You must be the first reporter
• The vulnerability must be qualifying
• You send a clear, textual description that can be reproduced, including all necessary attachments. PoC code in the form of a unit test is appreciated and recommended.
• You must not be a committer to the Apache Logging Services project.
• You are not an employee of Grobmeier Solutions GmbH or its contractors.
• Your PoC must be against against the default branch of the project, except stated otherwise.

Rating and Responsible Disclosure

The triage team will rate all security reports sent here.
Once confirmed, we will follow the CVE process and forward the report to the Apache Security Team as described in the Apache Security page.

All vulnerabilities will be rated and disclosed after sufficient time has passed.

We will publish advisories on our mailing lists and the Apache Logging Services website.

Please keep the information you have received private until we have published the advisory. Don't disclose the information to others.

We will include researcher credits if requested.