Hackers of all stripes looking to test their mettle can now legally hone their cyber skills, tools and weaponry against any Web property operated by the U.S. Department of Defense (DoD), according to a new military-wide policy for reporting and fixing security vulnerabilities.
Security researchers are often reluctant to report programming flaws or security holes they’ve stumbled upon for fear that the vulnerable organization might instead decide to shoot the messenger and pursue hacking charges.
But on Nov. 21, the DoD sought to clear up any ambiguity on that front for the military’s substantial online presence, creating both a centralized place to report cybersecurity flaws across the dot-mil space as well as a legal safe harbor (and the prospect of public recognition) for researchers who abide by a few ground rules.
The DoD said it would “deal in good faith” with researchers “who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:
“Your activities are limited exclusively to –
(1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
(2) Sharing with, or receiving from, DoD information about a vulnerability or an indicator related to a vulnerability.”
The Department of Defense also issued the following ten commandments for demonstrating compliance with its policy:
- You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- You avoid intentionally accessing the content of any communications, data, or information transiting or stored on DoD information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- You do not exfiltrate any data under any circumstances.
- You do not intentionally compromise the privacy or safety of DoD personnel (e.g. civilian employees or military members), or any third parties.
- You do not intentionally compromise the intellectual property or other commercial or financial interests of any DoD personnel or entities, or any third parties.
- You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from DoD.
- You do not conduct denial of service testing.
- You do not conduct social engineering, including spear phishing, of DoD personnel or contractors.
- You do not submit a high-volume of low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with our team.
In return, the DoD said it commits to acknowledging receipt of a report within three business days, and that it will work to confirm the existence of the vulnerability to the researcher and keep the researcher informed of any remediation underway. There are some restrictions, however. For example, researchers who report vulnerabilities will be expected to refrain from publicly disclosing their findings unless and until the DoD provides written consent that it’s okay to do so.
“We want researchers to be recognized publicly for their contributions, if that is the researcher’s desire,” the DoD stated. “We will seek to allow researchers to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of DoD.”
The DoD said if it couldn’t immediately fix or publicly acknowledge reported vulnerabilities, it might be because doing so could have life-or-death consequences for service members.
“Many DoD technologies are deployed in combat zones and, to varying degrees, support ongoing military operations; the proper functioning of DoD systems and applications can have a life-or-death impact on Service members and international allies and partners of the United States,” the agency observed. “DoD must take extra care while investigating the impact of vulnerabilities and providing a fix, so we ask your patience during this period.”
HACK THE ARMY
The Defense Department made the announcement via Hackerone.com, a company that helps organizations build and manage vulnerability reporting policies. HackerOne also helps customers build out “bug bounty” programs that remunerate and recognize researchers who report security flaws.
HackerOne currently is coordinating an upcoming bug bounty program called “Hack the Army,” in which some 500 qualifying contestants can earn cash rewards for finding and reporting cybersecurity weaknesses in the Army’s various online properties (incidentally, Hack the Army runs from Nov. 30 through Dec. 21, 2016, and interested/eligible hackers have until Nov. 28, at 17:00 EST to apply for a shot at one of those 500 spots). Continue reading →