The Department of Defense promised upon the inception of the Hack the Pentagon bug bounty program that it would continue to engage white-hats.
Hack the Pentagon set the tone with more than 1,400 participants and 138 vulnerabilities resolved during the 24-day trial during the spring. Two weeks ago, the Hack the Army bounty was announced—registration officially opened Monday—and officials said the success of Hack the Pentagon was the inspiration behind the Army’s program.
On Monday, Secretary of Defense Ash Carter continued that engagement when he signed a vulnerability disclosure policy that establishes ground rules and guidance going forward for researchers who find and wish to privately disclose bugs on any DoD website.
“For the first time, anyone who identifies a security issue on a DoD website will have clear guidance on how to disclose that vulnerability in a safe, secure, and legal way. This policy is the first of its kind for the Department,” Carter said. “It provides left and right parameters to security researchers for testing for and disclosing vulnerabilities in DoD websites, and commits the Department to working openly and in good faith with researchers.”
Carter called it a “see-something, say-something” policy that spells out the scope and terms of what can DoD networks and systems can be tested.
“DoD is committed to being open, engaged, and accepting of skilled researchers who can help us improve our defenses — and to providing the legal avenues for these security researchers to do so,” Carter said. “We hope that this policy will yield a steady stream of disclosures, allowing us to find and fix issues faster.”
The guidelines promise that the DoD will deal in good faith with researchers, insofar as the researcher’s work is limited to testing networks to detect vulnerabilities, and sharing bug and indicator details with the DoD.
“This policy makes me optimistic about the prospects for free and open security research. Instead of criminalizing curiosity, this policy recognizes the valuable contributions of the security experts when it comes to vulnerability discovery and disclosure,” said Tod Beardsley, senior security manager at Rapid7.
White hats a year ago were tangling with the overly broad proposed U.S. implementation of the Wassenaar Arrangement. The original draft of the rules snared legitimate research and tools under Wassenaar and would require expensive export control licenses. The rules were drafted to impart controls on surveillance software written by companies such as Hacking Team, Gamma International and others that is sold in oppressive regions of the world and put civil liberties at risk. Instead, there were no exemptions written in for commercial pen-testing tools and other legitimate security software, for example. Also, the development of proof-of-concept exploits would fall under Wassenaar and require an export license to be shared. Such exploits are crucial for vendors as they examine vulnerabilities in their products and try to reproduce the conditions that could put data at risk.
Researchers were loud with their concerns that legitimate research would be imperiled under the rules before they were pulled off the table last year.
“Adopting this policy goes a long way to legitimize the act of security research across all websites,” Beardsley said. “Hackers the world over can point to this policy to help get other organizations, large and small, to recognize the reality that good faith efforts to ‘see something, say something’ has positive and immediate benefits when it comes to internet security.”
HackerOne is managing the DoD’s engagement with researchers, and on Monday posted the agency’s disclosure policy on its website. The policy includes a dozen bullet points that spell out what’s allowed in order to protect intellectual property and personal data stored on the DoD networks. It also spells out legal protections afforded researchers.
“If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) DoD will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than DoD, DoD will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.”