In-brief: The U.S. Department of Defense published guidelines on Monday for independent security researchers to disclose vulnerabilities in DoD’s public facing systems. The program, managed by the firm HackerOne, provides a legal route for hackers to disclose vulnerabilities to the military.
The U.S. Department of Defense published guidelines on Monday for independent security researchers to disclose vulnerabilities in DoD’s public facing systems. The program, managed by the firm HackerOne, provides a legal route for hackers to disclose vulnerabilities to the military.
The announcement follows the launch of a “Hack the Army” bounty program by the U.S. Army on November 11 and an earlier bug bounty pilot from the Department of Defense, which was unveiled in March. In a statement, the DoD said that the Vulnerability Disclosure Policy is a “see something, say something’ policy for the digital domain.” “We want to encourage computer security researchers to help us improve our defenses,” said Secretary of Defense Ash Carter. “This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security.”
According to the DoD, researchers will be able to test public facing systems to detect a vulnerability and then share that with the Department of Defense. Researchers are prohibited from siphoning data from DoD systems as part of their research or compromise the “privacy or safety of DoD personnel,” among other limitations. Researchers can’t “phish” DoD personnel or carry out denial of service attacks against DoD assets. While researchers who discover vulnerabilities will be recognized by the DoD, they will not receive cash rewards for finding security holes.
[Read more Security Ledger coverage of bug bounty programs here.]
However, the parallel Hack the Army program, which opened its doors on Monday, does provide cash incentives for information on security holes in public facing systems operated by the U.S. Army. That program is also being managed by the firm HackerOne.
Bug bounty programs have become common in the private sector, particularly among technology firms interested in tapping into a broad community of security experts to help secure their products. Facebook, Google, Yahoo and Microsoft all offer cash rewards for information on software security holes in their products and services. In recent months, bounty programs have spread to companies selling connected products. In July, Fiat Chrysler announced its bounty program, following the lead of GM and others.
But public sector adoption of the programs has lagged. The Department of Health and Human Services is reportedly mulling a bounty program for connected medical devices.
Security experts say that, while bounty programs can provide real benefits to organizations, such incentive programs can also demand significant resources, internally, to support. Experts like Josh Corman of the group I Am The Cavalry advocate a gradual approach to launching bounties akin to the approach the DoD appears to be modelling: with low intensity “recognition only” and selective private bounty programs at first. Eventually, full, public bounty programs offering cash rewards can be introduced.