November 21, 2016
Two initiatives were rolled out today to strengthen the cyber security environment in the Defense Department and the Army, DoD officials announced.
The first initiative is part of the “Hack the Pentagon” program that debuted last spring, officials said. Called the Vulnerability Disclosure Policy, it provides a legal avenue for digital security researchers who find and disclose vulnerabilities in DoD’s public websites.
The policy gives researchers clear guidance for testing and disclosing vulnerabilities, and also commits DoD to work openly and in good faith with outside researchers, officials said.
“The Vulnerability Disclosure Policy is like ‘see something, say something’ for the digital domain, Defense Secretary Ash Carter said.
“We want to encourage computer security researchers to help us improve our defenses. This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security,” the secretary said.
DoD Effort Aligns With Private Sector
The Hack the Pentagon pilot was the first bug bounty in the history of the federal government, officials said.
Using vetted hackers, DoD used a similar method to that of commercial-sector crowdsourcing, which identifies security vulnerabilities in DoD’s systems. ”Hack the Pentagon” was modeled after similar competitions conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products, and digital services, according to officials.
When Hack the Pentagon results were released in June, the department recognized a need to provide a standard avenue for researchers to report vulnerabilities, said DoD’s Cyber Policy Senior Advisor, Charley Snyder and Defense Digital Service Bureaucracy Hacker Lisa Wiswell in a briefing with reporters Nov. 18.
The new policy, effective today, allows for a safe, secure, and legal opportunity for researchers to report such vulnerabilities, Snyder and Wiswell said.
While private industry produces similar policies, DoD’s initiative is the first in the federal government, officials said.
DoD consulted with the Justice Department’s criminal division when developing DoD’s Vulnerability Disclosure Policy, and Leslie Caldwell, DOJ’s assistant attorney general, called the initiative “a laudable way to help computer security researchers use their skills in an effective, beneficial and lawful manner to reduce security vulnerabilities.”