Andreas Prott -

Log4Shell: How friendly hackers rose to the challenge

HackerOne CISO Chris Evans looks back at how the security community successfully rose to the challenge of Log4Shell, and saved end-user organisations millions

Imagine the scene: a severe vulnerability emerges that affects organisations worldwide, allowing unauthorised access to highly sensitive data. This scenario happened in late 2021 when a popular open source tool published a critical vulnerability called Log4Shell.

So, what exactly happened? Log4Shell is a software vulnerability found in Apache Log4j, a widely used Java library for logging error messages in applications. It sent organisations into panic mode as they scrambled to discover if they were vulnerable.

Amid the panic, the hacking community sprang to action, hunting the vulnerability across the internet and providing real-time reports central to remediation efforts.

A quick response window is incredibly valuable with a vulnerability such as Log4Shell. For some organisations, the choice is either move fast or become victim to a breach. When there’s a significant new vulnerability uncovered, being connected to the ethical community is an additional safety net for organisations.

The platform adapts to the situation. In the case of Log4Shell, the hacking community submitted hundreds of vulnerability reports within 24 hours of the public disclosure, showing just how far and wide the vulnerability was. 

Several months later, where do we stand with the Log4Shell issue? We’ve seen thousands of reports, and a total of 398 unique reports have received a bounty to date. The running bounty total across our platform alone is $1,284,847.

That’s a lot of money awarded to hackers, but on the other hand, it’s a small price to pay relative to the cost of a breach – calculated to average $4m by IBM. Although the total volume has slowed, hackers continue to find a handful of Log4Shell vulnerabilities every day. 

On the business side, speedy communication and remediation will attract more hackers to a bug bounty program. It’s a win-win scenario for hackers and enterprises alike – customer programmes bid for the time spent by hackers looking for security flaws. Customers bid not only by trying to offer the largest bounties, but also by running their programs to a high standard.

Hackers jump at the opportunity to help support the industry when it comes to such large-scale threats. The global hacking community offers a diverse range of insights, and a variety of viewpoints, backgrounds and experiences, all of which are extremely useful for getting broad and deep coverage.

Put another way, humans exhibit a level of creativity and intuition that automated tools and scanners cannot. Perhaps artificial intelligence will improve software in the longer term, but for the foreseeable future, enterprises will need to remain robustly partnered with the hacking community to keep on top of threats. 

Organisations shouldn’t take hacking solutions for granted. Hackers might rush to our aid, but this was also an incredibly stressful time for them. It’s critical for hackers to feel heard and valued. Vulnerability disclosure can be a murky process at times and vulnerability disclosure policies (VDPs) have sufficient guidelines to ensure the protection of the hacking community and organisations.    

With increasing digital transformation and cloud migration, we will inevitably see more vulnerabilities arise. As shown by our 2022 attack resistance report, one-third of global enterprises observe less than 75% of their total attack surface, leaving them vulnerable to external threats in a time of rapid digital transformation and development.

The businesses that will ultimately stay ahead will be those that continue to ensure their security is constantly evolving, and working with hackers is the best way to have a constant eye to spot, identify and fix flaws before bad actors can exploit them. 

Chris Evans is CISO, and chief hacking officer at HackerOne, an ethical hacking and bug bounty platform.

Read more about ethical hacking

Read more on Hackers and cybercrime prevention

Data Center
Data Management