Usually, security researchers feel hesitant to report any inherent flaws and vulnerabilities in software’s code or programming and other security holes plaguing cyber-based systems of the military primarily because they fear being blamed for hacking and adverse consequences.
But, now the military itself is allowing hackers a chance to point out vulnerabilities in their online systems. The permission is granted through a military-wide applicable, newly designed policy.
It, however, comes as no surprise as the recent hack attacks involving important government institutions including US Navy is a clear proof that the department needs to boost its security measures.
This new policy by the US Department of Defense has given green signal to hackers for testing their cyber skills, weapons and tools against any web-based property. The flip side is that only the web property that is owned and operated by the Defense Department is allowed to be exploited.
The announcement was made public by the department through Hackerone.com, which is a platform that helps organizations in managing and/or developing policies related to vulnerabilities and helps clients develop bug bounty programs to give rewards to researchers for identifying security flaws.
It must be noted that it is the same platform that is helping the US Army in its upcoming bug bounty program dubbed as “Hack the Army.” In this program around 500 contestants can participate and earn cash rewards for reporting security flaws present in the Army’s online properties.
The policy’s main purpose is to discover any hidden vulnerabilities in their networks and system and to fix the issues timely. It also aims to clear up the confusion in the minds of security researchers regarding reporting about vulnerabilities that they identify in military systems.
The policy became effective on November 21st and it hopefully will improve the military’s online presence by developing a centralized space for identification and reporting of security flaws along with offering legally approved platform to researchers for exhibiting their cyber skills.
According to the US Department of Justice, everything will be dealt with in “good faith.”
Researchers are required to “discover, test, and submit vulnerabilities or indicators of vulnerabilities” in accordance with the department’s guidelines and ground rules, which are as follows:
> Testing the system for identification or indication of a vulnerability
> Test after receiving information from the department regarding a vulnerability or identify and share vulnerability or indicator of vulnerability with the department
There is a particular set of Ten rules, sort of do’s and don’ts that the department wishes the researchers to abide by. These pointers can be read on the policy page.
When a researcher reports about a vulnerability to the department, it will firstly counter-check and confirm the presence of a flaw and then will inform the researcher about any sort of ongoing remediation. However, the researchers are required to refrain from exposing their findings to the public till the time the department grants them approval for doing so in written form.
There is a sound reasoning behind this restriction from the department:
“We want researchers to be recognized publicly for their contributions if that is the researcher’s desire. We will seek to allow researchers to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized to the express written consent of DoD.”
The Defense Department also explained the importance of employing hackers for the safety of online properties and their operations:
“Many DoD technologies are deployed in combat zones and, to varying degrees, support ongoing military operations; the proper functioning of DoD systems and applications can have a life-or-death impact on Service members and international allies and partners of the United States.”
Furthermore, the department clearly stated that the research will purely be restricted to military’s personal properties online and extreme care will be involved at every step.
So what are you waiting for? Go and demonstrate your awesome hacking skills right now.