DoD officials have announced two initiatives to help strengthen cybersecurity in the Army and Defense Department.
The Vulnerablity Disclosure Policy is an offshoot of the Hack the Pentagon Program introduced by the DoD last spring. It provides a legal way for ethical hackers to search for vulnerabilities on Defense Department websites.
The vulnerability disclosure program will apply to all publicly accessible DOD websites and be open to any U.S. citizen or resident.
According to officials, the policy gives white hat hackers clear guidelines for testing and disclosing vulnerabilities.
“We want to encourage computer security researchers to help us improve our defenses. This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security,” said Defense Secretary Ash Carter.
Hack the Army is the second bug-bounty challenge in DoD, and it also provides clear guidelines for security researchers to find and disclose vulnerabilities to the Pentagon without fears of repercussions.
“We want to engage with those researchers so we can fix those bugs before the bad guys have a chance to find them,” Charley Snyder, senior DOD cyber policy adviser, said during a press briefing.
The Army bug bounty challenge will engage the services of approximately 500 vetted security researchers, and will focus more on operationally relevant web sites, especially those that affect Army recruiting, officials said.
Both programs are being managed in cooperation with the bug bounty organizer HackerOne.
“DoD’s first bug bounty, Hack the Pentagon, exceeded expectations. All told, more than 1,400 hackers were invited to participate in Hack the Pentagon and more than 250 submitted at least one vulnerability report. Of all the submissions we received, 138 were determined to be legitimate, unique, and eligible for a bounty,’ wrote Carter in a post on Medium.