The United States Department of Defense (DoD) has announced that they have created their own vulnerability disclosure policy. For more information on the topic continue reading.
The Government-Sponsored Vulnerability Disclosure Policy Is Now a Fact
The Department of Defense (DoD) of The USA has finally revealed that they have created their own vulnerability disclosure policy. It aims to provide guidance to security researchers on disclosing security issues on the public web sites of the institution. However in comparison to other bug bounty programs it does not offer any rewards to the contributors. Instead it serves as an encouragement to the cyber security researchers in helping the nation’s defenses.
Security experts who discover vulnerabilities in any of the public websites which are operated, owned or controlled by the DoD can submit a report via the HackerOne platform. The organization promises to review all submitted reports within three business days and publicly recognize the people who have contributed by reporting legitimate issues.
According to the posted information the submitted information will be used to mitigate or fix the vulnerabilities in both the institution’s own networks and applications and the third-party ones that they use. The HackerOne platform reads that this is an “initial effort” that is made to build a positive feedback loop between the security community and the DoD.
As with other bug bounty programs the researchers need to submit proof and details that include the following information:
- Issue Type
- Product Name
- Product Version
- Software Configuration
- Reproduction Steps
- Issue Impact
- Suggested Mitigation Steps
The guidelines posted on the disclosure program reads the following:
- Your activities are limited exclusively to –
- (1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
- (2) Sharing with, or receiving from, DoD information about a vulnerability or an indicator related to a vulnerability.
- You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- You avoid intentionally accessing the content of any communications, data, or information transiting or stored on DoD information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- You do not exfiltrate any data under any circumstances.
- You do not intentionally compromise the privacy or safety of DoD personnel (e.g. civilian employees or military members), or any third parties.
- You do not intentionally compromise the intellectual property or other commercial or financial interests of any DoD personnel or entities, or any third parties.
- You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from DoD.
- You do not conduct denial of service testing.
- You do not conduct social engineering, including spear phishing, of DoD personnel or contractors.
- You do not submit a high-volume of low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with our team.
For more information visit HackerOne’s detailed page on the matter.